audit_ftype_to_name?

audit_ftype_to_name?

[Stephen Quinney]

I am wanting to use the audit_ftype_to_name function which is provided
in the audit python module. It seems that this always returns None
which is not particularly useful. I can see that the function is
implemented in lib/lookup_table.c and it only does something when the
NO_TABLES cpp macro is not defined. In src/mt/Makefile.am that is
defined (with -DNO_TABLES in AM_CFLAGS), I assume that is deliberate?
I can't see any definition of the ftype_i2s function which is called
by audit_ftype_to_name so maybe this hasn't been implemented yet?


Thanks,

Stephen

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: audit_ftype_to_name?

[Steve Grubb]

On Friday, October 18, 2013 12:47:23 PM Stephen Quinney wrote:
> I am wanting to use the audit_ftype_to_name function which is provided
> in the audit python module. It seems that this always returns None
> which is not particularly useful.

It shouldn't return that except when there is no match.

> I can see that the function is implemented in lib/lookup_table.c and it only
> does something when the NO_TABLES cpp macro is not defined. 

Correct.

>In src/mt/Makefile.am that is defined (with -DNO_TABLES in AM_CFLAGS), I assume
> that is deliberate?

Yes. That location is a private copy recompiled for pthreads use and linked 
only to auditd. Auditd has no use for those tables so they are thrown away.

> I can't see any definition of the ftype_i2s function which is called
> by audit_ftype_to_name so maybe this hasn't been implemented yet?

Yes, it has been. However, its over in lib/libaudit.

It seems to work fin on my system:

#!/usr/bin/env python
import sys
import audit

name = audit.audit_ftype_to_name(0140000)
print '%s\n' % (name,),
sys.exit(0)


$ ./test.py 
socket

12/31/1969

[David Flatley]

     We run aureport -i on our rotated audit logs, rotation runs at 4 am.
It works great on most systems but we have two servers that have an end
date of 12/31/1969.
Checked the date and resync'ed with NTP server and tried -t but still get
the weird date. Thoughts?


David Flatley
"To err is human. To really screw up requires the root password." -UNKNOWN

Re: 12/31/1969

[Alexander Viro]

On Tue, Oct 22, 2013 at 02:59:06PM -0400, David Flatley wrote:
>      We run aureport -i on our rotated audit logs, rotation runs at 4 am.
> It works great on most systems but we have two servers that have an end
> date of 12/31/1969.
> Checked the date and resync'ed with NTP server and tried -t but still get
> the weird date. Thoughts?

Midnight UTC 1/1/1970, viewed in a timezone to the west of Greenwich...

Re: audit_ftype_to_name?

[Stephen Quinney]

On Tue, Oct 22, 2013 at 01:59:32PM -0400, Steve Grubb wrote:
> On Friday, October 18, 2013 12:47:23 PM Stephen Quinney wrote:
> 
> > I can't see any definition of the ftype_i2s function which is called
> > by audit_ftype_to_name so maybe this hasn't been implemented yet?
> 
> Yes, it has been. However, its over in lib/libaudit.
> 

I suspect I'm a little confused here, is libaudit provided separately
from the main audit code?

% tar zxf Downloads/audit-2.3.2.tar.gz
% grep -ri ftype_i2s audit-2.3.2/
audit-2.3.2/lib/lookup_table.c:   return ftype_i2s(ftype);

So, I don't see the function definition, just the call.


> It seems to work fin on my system:
> 
> #!/usr/bin/env python
> import sys
> import audit
> 
> name = audit.audit_ftype_to_name(0140000)
> print '%s\n' % (name,),
> sys.exit(0)
> 

So, I was trying to use it to translate the value returned by the
get_field_type function in auparse, should that work?


Stephen

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: audit_ftype_to_name?

[Steve Grubb]

On Tuesday, October 22, 2013 09:58:05 PM Stephen Quinney wrote:
> On Tue, Oct 22, 2013 at 01:59:32PM -0400, Steve Grubb wrote:
> > On Friday, October 18, 2013 12:47:23 PM Stephen Quinney wrote:
> > > I can't see any definition of the ftype_i2s function which is called
> > > by audit_ftype_to_name so maybe this hasn't been implemented yet?
> > 
> > Yes, it has been. However, its over in lib/libaudit.
> 
> I suspect I'm a little confused here, is libaudit provided separately
> from the main audit code?

No, its all there.

> % tar zxf Downloads/audit-2.3.2.tar.gz
> % grep -ri ftype_i2s audit-2.3.2/
> audit-2.3.2/lib/lookup_table.c:   return ftype_i2s(ftype);
> 
> So, I don't see the function definition, just the call.

The lookup tables are performance critical. So, what happens is at compile 
time a program builds a b-tree and functions to access them based on the 
current name/value entries. It would be hard to maintain by hand. So, you'd 
need to compile the code to see the definition.


> > It seems to work fin on my system:
> > 
> > #!/usr/bin/env python
> > import sys
> > import audit
> > 
> > name = audit.audit_ftype_to_name(0140000)
> > print '%s\n' % (name,),
> > sys.exit(0)
> 
> So, I was trying to use it to translate the value returned by the
> get_field_type function in auparse, should that work?

The field type is sort of an internal classification scheme. It is available to 
help decide if you want the raw text or interpreted representation of the 
field.

For example, you may be processing text and checking for the type to be 
AUPARSE_TYPE_ESCAPED in which case you need to call auparse_interpret_field 
rather than use the raw text. This is the whole purpose for allowing internal 
state information out of the parser.

The audit_ftype_to_name() function is also sort of an internal function not 
meant for outside callers. What it does is lookup the _file_ type. Not exactly 
what you are looking for.

There is no lookup table to go from the numeric internal representation to a 
text value of the internal representation. Its always been considered internal 
state that no one should be using beyond needing to know when they must ask 
for an interpretation of an encoded field.

-Steve