From: Steve Grubb <sgrubb@redhat.com>
To: lists_todd@mac.com
Cc: linux-audit@redhat.com
Subject: Re: saddr value in connect()
Date: Thu, 15 May 2014 12:55:22 -0400 [thread overview]
Message-ID: <20140515125522.227bac20@ivy-bridge> (raw)
In-Reply-To: <CDAB7C7E-A117-4AB1-8E10-A4725801A6C6@mac.com>
On Thu, 15 May 2014 09:20:47 -0700
lists_todd@mac.com wrote:
> > Out of curiosity, why don't you use auparse to write your BSM
> > reformatter?
>
> (1) I hadn’t run across the code repository until after you had
> mentioned it (I’ve only been actively looking at Linux auditing for a
> few weeks), and (2) I am still very much in the learning phase,
> trying to figure out what is in the data, what type of configuration
> I would like, etc.
>
>
> I will take a look at auparse soon. I am particularly interested in
> performance. My first parsing effort is *way* too slow. I use C++
> regex a lot, and that seems to be a problem.
In general, I wouldn't think you need use regex all the time. Auparse
organizes things into events, record, fields, and accessor function at
each level. Its really easy to walk through events in a couple lines of
code and ask for translations without having to figure out how to
decode or where it comes from. Auparse will also add metadata in the
near future so that you can see how each field belongs to time,
location, subject, object, action, or result.
> If anyone is interested is seeing Linux audit data (along with BSM)
> on a Mac, I posted a blog entry along with a little video:
>
> Analyzing Linux Audit Data
> http://www.toddheberlein.com/blog/2014/5/13/analyzing-linux-audit-data
>
> > We will likely be needing to make changes soon and it would
> > insulate you from those kinds of issues.
>
> Can I ask what type of changes and what is motivating the changes?
Typically evolving common criteria requirements or other security
needs. The main point is really that you can whip together a translator
in an afternoon with having to be concerned with the lowest level
details.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2014-05-15 16:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 22:11 saddr value in connect() lists_todd
2014-05-05 22:26 ` Steve Grubb
2014-05-06 0:31 ` lists_todd
2014-05-06 17:55 ` Steve Grubb
2014-05-15 16:20 ` lists_todd
2014-05-15 16:55 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140515125522.227bac20@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=lists_todd@mac.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox