Events per System Call

Events per System Call

[Basim Baig]

[-- Attachment #1.1: Type: text/plain, Size: 1411 bytes --]

Hello,

I am currently doing a project based on the linux audit framework and i am
using it to audit selected system calls. I have written my own parser for
it. What i need to know is how many events are generated per system call so
i know when it has finished. I have run a few test cases regarding this but
i am not sure if i have covered every possible situation. Are the number of
events generated per system call always the same or can they change from
place to place. I'll illustrate what i am saying.

For example when an OPEN system call happens three events are generated by
the audit frame work i.e. SYSCALL,CWD,PATH events. These three together
define the open system call. I am trying to get the same profile for the
following calls:
(i am adding the profiles i have already tested for)


open = sys.cwd.path
execv = sys.execve.cwd.path.path
clone
vfork  = clone+execve
fork  = clone+execve
connect
accept

close


read = sys
readv
write  = sys
writev



rename  = sys.cwd.path.path.path.path.path

mknod = sws.cwd.path
truncate = open+read+write
ftruncate = open+read+write

link

unlink

symlink

pipe = sys.fd_pair
dup
dup2

It would be really helpful to know if the number of events generated per
system call change or do they stay the same. And is there any documentation
on what events are generated or do i have to run small test cases for all
the aforementioned system calls.

Thanks,
Basim

[-- Attachment #1.2: Type: text/html, Size: 1571 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Events per System Call

[Steve Grubb]

On Monday, August 16, 2010 05:38:52 pm Basim Baig wrote:
> It would be really helpful to know if the number of events generated per
> system call change or do they stay the same.

As your data suggests, there can be several different records per event 
depending on what its trying to tell you. They all end with an AUDIT_EOE 
record. Auditd strips this off to save disk space, but live events have it.

-Steve

Re: Events per System Call

[Basim Baig]

[-- Attachment #1.1: Type: text/plain, Size: 789 bytes --]

Hi Steve,
Just to confirm this:
If i am taking my data stream through the af_unix socket built-in plugin
then will i get the audit_eoe event? Do i have to setup some special rule to
get this event or is it there by default in the af_unix plugin stream?
Thanks for the prompt reply.
Basim

On Mon, Aug 16, 2010 at 5:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, August 16, 2010 05:38:52 pm Basim Baig wrote:
> > It would be really helpful to know if the number of events generated per
> > system call change or do they stay the same.
>
> As your data suggests, there can be several different records per event
> depending on what its trying to tell you. They all end with an AUDIT_EOE
> record. Auditd strips this off to save disk space, but live events have it.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 1144 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Events per System Call

[Steve Grubb]

On Monday, August 16, 2010 08:49:48 pm Basim Baig wrote:
> If i am taking my data stream through the af_unix socket built-in plugin
> then will i get the audit_eoe event?

For an audispd plugin, you would need to set the format parameter to binary.
See the sample conf file:

https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.conf

or the audisp man page for discussion on each parameter's values.


> Do i have to setup some special rule to get this event or is it there by default
> in the af_unix plugin stream?

The default is to turn things into strings so that they can be used by the
auparse library. But the binary setting means you are willing to follow all
the rules and do it yourself however painful that may be. :)  I think they
are here:

http://people.redhat.com/sgrubb/audit/audit-rt-events.txt

You can probably use the same code as this:

https://fedorahosted.org/audit/browser/trunk/contrib/skeleton.c

to write your plugin.

-Steve

Re: Events per System Call

[Steve Grubb]

On Monday, August 16, 2010 09:13:54 pm Steve Grubb wrote:
> > If i am taking my data stream through the af_unix socket built-in plugin
> > then will i get the audit_eoe event?
> 
> For an audispd plugin, you would need to set the format parameter to
> binary.

Actually, looking at the auparse library code, it looks like the EOE event 
comes through in the string format, too.

-Steve

Re: Events per System Call

[Basim Baig]

[-- Attachment #1.1: Type: text/plain, Size: 703 bytes --]

Thank you so much. I have done the painful work for the parser already :)
But i was trying to handle the parser like a state machine where i did not
know how events ended. With this in place it is complete!
Thanks!
Basim

On Tue, Aug 17, 2010 at 6:18 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, August 16, 2010 09:13:54 pm Steve Grubb wrote:
> > > If i am taking my data stream through the af_unix socket built-in
> plugin
> > > then will i get the audit_eoe event?
> >
> > For an audispd plugin, you would need to set the format parameter to
> > binary.
>
> Actually, looking at the auparse library code, it looks like the EOE event
> comes through in the string format, too.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 1071 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]