Re: Linux-audit Digest, Vol 40, Issue 9

[John Dennis <jdennis@redhat.com>]

kunal chandarana wrote:
> In audit logs fields are generated for specific type. Each log has 
> different type and depending on type there are different fields shown in 
> audit.log files. Is there a way to map this audit type to the fields.
> 
> Like if i have type=XYZ then log will contain n fields. So how to find 
> these N fields.?

I'm not sure if you're asking how do you know which fields will appear 
for a specific type or how can you easily parse the fields.

If it's the former there is no such mapping I'm familiar with, there is 
however a dictionary with all the possible fields in the set of all 
messages (http://people.redhat.com/sgrubb/audit/audit-parse.txt)

The field names are a product of the current kernel and the auditing 
messages it happens to contain. I don't think anybody has gone through 
the source code to produce such a map. In addition the message are 
subject to change based on the discretion of kernel developers. This is 
one of the frustrations of the current auditing system. However, the 
messages have been fairly stable so over time it's possible to get a 
pretty good idea. The source code in the kernel which produces the 
messages is pretty regular, I don't think it would be too hard to write 
a tool which scanned the kernel source tree and produced such a map, but 
I'm not aware of such a tool ATM.

If you want to find the fields in the sense of parsing then the auparse 
library will be of help.


-- 
John Dennis <jdennis@redhat.com>