Re: audit-viewer

Re: audit-viewer

[Miloslav Trmac]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

----- "Dan Gruhn" <Dan.Gruhn@groupw.com> wrote:
> I have audit-viewer-0.4 and get the following error from "make
> install"
> 
> Byte-compiling python modules...
> client.py dialog_base.py event_dialog.py event_source.py filters.py 
> format_versions.py list_properties.py list_tab.py  File 
> "/usr/local/share/audit-viewer/list_tab.py", line 558
>     store_data[column + 1] = l.pop(0) if l else ''
>                                        ^
> SyntaxError: invalid syntax
> 
> Is it just me or should I try the 0.3 version?
Please apply the attached patch against the src subdirectory.
    Mirek

[-- Attachment #2: av.patch --]
[-- Type: application/octet-stream, Size: 4114 bytes --]

diff -ur av-orig/event_source.py /usr/share/audit-viewer/event_source.py
--- av-orig/event_source.py	2008-12-05 09:51:29.000000000 +0100
+++ /usr/share/audit-viewer/event_source.py	2008-12-05 12:35:04.000000000 +0100
@@ -15,7 +15,6 @@
 # permission of Red Hat, Inc.
 #
 # Red Hat Author: Miloslav Trmac <mitr@redhat.com>
-import collections
 import datetime
 import re
 
@@ -108,7 +107,7 @@
         # This function is time critical, so it is a bit ugly.  "#o" comments
         # contain the "nice" version of some constructs
         parser = self._create_parser()
-        events = collections.defaultdict(Event)
+        events = {}
 
         parser.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
         if len(filters) > 0:
@@ -135,11 +134,13 @@
         while next_event_fn():
             ts = parser_get_timestamp()
             # FIXME: ts.host seems to be valid only until the next event is read
-            e = events[(ts.serial, ts.sec, ts.milli)]
-            # The Event() constructor does not have access to ts.  Most events
-            # have only a single record, so this usually does not overwrite the
-            # ID unnecessarily.
-            e.id = ts
+            event_key = (ts.serial, ts.sec, ts.milli)
+            try:
+                e = events[event_key]
+            except KeyError:
+                e = Event()
+                e.id = ts
+                events[event_key] = e
             if parser_first_record():
                 e_fields = e.fields
                 while 1: #o while True:
diff -ur av-orig/filters.py /usr/share/audit-viewer/filters.py
--- av-orig/filters.py	2008-12-05 09:51:30.000000000 +0100
+++ /usr/share/audit-viewer/filters.py	2008-12-05 12:30:20.000000000 +0100
@@ -18,7 +18,7 @@
 import datetime
 from gettext import gettext as _, ngettext
 import time
-import xml.etree.cElementTree as cElementTree
+import cElementTree
 
 import auparse
 
diff -ur av-orig/list_tab.py /usr/share/audit-viewer/list_tab.py
--- av-orig/list_tab.py	2008-12-05 09:51:30.000000000 +0100
+++ /usr/share/audit-viewer/list_tab.py	2008-12-05 12:31:56.000000000 +0100
@@ -18,7 +18,7 @@
 import csv
 from gettext import gettext as _
 import time
-import xml.etree.cElementTree as cElementTree
+import cElementTree
 
 import gobject
 import gtk
@@ -555,7 +555,10 @@
             for (column, title) in enumerate(self.__field_columns):
                 l = event_fields_get(title, None)
                 # "if l" == "if l is not None and len(l) > 0'
-                store_data[column + 1] = l.pop(0) if l else ''
+                if l:
+                    store_data[column + 1] = l.pop(0)
+                else:
+                    store_data[column + 1] = ''
             events.append((sort_key, tuple(store_data)))
         events.sort(key = lambda event: event[0], reverse = self.sort_reverse)
         return events
diff -ur av-orig/main_window.py /usr/share/audit-viewer/main_window.py
--- av-orig/main_window.py	2008-12-05 09:51:30.000000000 +0100
+++ /usr/share/audit-viewer/main_window.py	2008-12-05 12:29:55.000000000 +0100
@@ -19,7 +19,7 @@
 from gettext import gettext as _
 
 import os
-import xml.etree.cElementTree as cElementTree
+import cElementTree
 
 import gobject
 import gtk
diff -ur av-orig/statistic.py /usr/share/audit-viewer/statistic.py
--- av-orig/statistic.py	2008-12-05 09:51:31.000000000 +0100
+++ /usr/share/audit-viewer/statistic.py	2008-12-05 12:30:32.000000000 +0100
@@ -18,7 +18,7 @@
 import datetime
 from gettext import gettext as _, ngettext
 import time
-import xml.etree.cElementTree as cElementTree
+import cElementTree
 
 from filters import FieldFilter, TimestampFilter
 import format_versions
diff -ur av-orig/tab.py /usr/share/audit-viewer/tab.py
--- av-orig/tab.py	2008-12-05 09:51:32.000000000 +0100
+++ /usr/share/audit-viewer/tab.py	2008-12-05 12:30:36.000000000 +0100
@@ -17,7 +17,7 @@
 # Red Hat Author: Miloslav Trmac <mitr@redhat.com>
 from gettext import gettext as _
 import copy
-import xml.etree.cElementTree as cElementTree
+import cElementTree
 
 from dialog_base import DialogBase
 from filters import Filter

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: audit-viewer

[Dan Gruhn]

Miloslav Trmac wrote:
> ----- "Dan Gruhn" <Dan.Gruhn@groupw.com> wrote:
>> I have audit-viewer-0.4 and get the following error from "make
>> install"
>>
>> Byte-compiling python modules...
>> client.py dialog_base.py event_dialog.py event_source.py filters.py 
>> format_versions.py list_properties.py list_tab.py  File 
>> "/usr/local/share/audit-viewer/list_tab.py", line 558
>>     store_data[column + 1] = l.pop(0) if l else ''
>>                                        ^
>> SyntaxError: invalid syntax
>>
>> Is it just me or should I try the 0.3 version?
> Please apply the attached patch against the src subdirectory.
>     Mirek
Mirek,

Thanks for this patch.  I applied it and was able to compile.

I'm having problems running audit-viewer and it appears that I am 
missing some packages like python-gtkextra, PyChart, and sexy-python.  I 
don't have them available on RHEL 5.2 (or 5.3 for that matter) and have 
been trying to compile them.

I am working on python-gtkextra-1.1.0 and have gtkextra compiled and 
installed.  When I work on the python-gtkextra I get the following:
# make
Making all in gtkextra
make[1]: Entering directory 
`/data/master/software/audit/audit-viewer/python-gtkextra-1.1.0/gtkextra'
(cd . \
     && /usr/bin/python ./mycodegen.py \
        --register /usr/share/pygtk/2.0/defs/pango-types.defs \
        --register /usr/share/pygtk/2.0/defs/gdk-types.defs \
        --register /usr/share/pygtk/2.0/defs/gtk-types.defs \
        --override gtkextra.override \
        --prefix pygtkextra gtkextra.defs) > gen-gtkextra.c \
    && cp gen-gtkextra.c gtkextra.c \
    && rm -f gen-gtkextra.c
Traceback (most recent call last):
  File "./mycodegen.py", line 16, in ?
    codegen.codegen.main()
TypeError: main() takes exactly 1 argument (0 given)
make[1]: *** [gtkextra.c] Error 1

I'm guessing  that the problem is that 1.1.0 requires python 2.5+ like 
audit-viewer.
Does anyone know if this is true?
Has anyone tried to get audit-viewer working on RHEL5.2?
Any pointers?  I think I'm stuck at this point.

Dan

Re: audit-viewer

[Miloslav Trmac]

Dan,
----- "Dan Gruhn" <Dan.Gruhn@groupw.com> wrote:
> I'm having problems running audit-viewer and it appears that I am
> missing some packages like python-gtkextra, PyChart, and sexy-python. I
> don't have them available on RHEL 5.2 (or 5.3 for that matter) and
> have  been trying to compile them.
Oh, sorry about that - I completely forgot about the dependencies.

For libsexy, take the Fedora 10 package, remove the dependencies on hunspell-en and enchant.

For python-gtkextra and python-sexy rebuild the packages available in Fedora 10.

pychart is available in EPEL.
    Mirek

Re: audit-viewer

[Dan Gruhn]

Mirek,

Thanks for this.  I was finally able to get back to this project and 
have been able to compile everything to get audit-viewer running.

I am getting this error when audit viewer starts:

# audit-viewer
Error reading audit events: No such file or directory.

Thinking that perhaps something is pointing to the wrong files, I 
attempted to use Window/Change event source.. . Then I get this:
Traceback (most recent call last):
  File "/usr/local/share/audit-viewer/main_window.py", line 402, in 
__menu_change_event_source_activate
    self.__show_source_dialog()
  File "/usr/local/share/audit-viewer/main_window.py", line 300, in 
__show_source_dialog
    self.source_dialog = SourceDialog(self.window, self.client)
  File "/usr/local/share/audit-viewer/source_dialog.py", line 58, in 
__init__
    self.__source_log_with_rotated_toggled)
  File "/usr/local/share/audit-viewer/util.py", line 49, in connect_and_run
    handler()
  File "/usr/local/share/audit-viewer/source_dialog.py", line 161, in 
__source_log_with_rotated_toggled
    self.source_log.set_active_iter(it)
TypeError: iter should be a GtkTreeIter

Perhaps I am don't understand how to use audit-viewer.  Is there any 
tutorial or documentation somewhere that I could read?

Dan

Miloslav Trmac wrote:
> Dan,
> ----- "Dan Gruhn" <Dan.Gruhn@groupw.com> wrote:
>   
>> I'm having problems running audit-viewer and it appears that I am
>> missing some packages like python-gtkextra, PyChart, and sexy-python. I
>> don't have them available on RHEL 5.2 (or 5.3 for that matter) and
>> have  been trying to compile them.
>>     
> Oh, sorry about that - I completely forgot about the dependencies.
>
> For libsexy, take the Fedora 10 package, remove the dependencies on hunspell-en and enchant.
>
> For python-gtkextra and python-sexy rebuild the packages available in Fedora 10.
>
> pychart is available in EPEL.
>     Mirek
>   

-- 
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851

Re: audit-viewer

[Miloslav Trmac]

Hello,
----- "Dan Gruhn" <Dan.Gruhn@groupw.com> wrote:
> I am getting this error when audit viewer starts:
> 
> # audit-viewer
> Error reading audit events: No such file or directory.
> 
> Thinking that perhaps something is pointing to the wrong files, I 
> attempted to use Window/Change event source.. . Then I get this:
<snip>
>   File "/usr/local/share/audit-viewer/source_dialog.py", line 161, in
> 
> __source_log_with_rotated_toggled
>     self.source_log.set_active_iter(it)
> TypeError: iter should be a GtkTreeIter
This crash is a bug in audit-viewer, I'll fix it for the next release.

I'm not 100% sure, but I think the problem is caused by the fact that audit-viewer searches for audit logs in the --prefix subtree (as specified by configure). You can verify the used path by running (strings /your/prefix/libexec/audit-viewer-server-real |grep /log/audit); If it is not /var/log/audit, you'll need to rebuild audit-viewer, specifying --localstatedir=/var .

I'll document the necessity to use --localstatedir.

Thank you,
    Mirek

Re: audit-viewer

[Dan Gruhn]

Greetings,

Miloslav Trmac wrote:
> Hello,
> ----- "Dan Gruhn" <Dan.Gruhn@groupw.com> wrote:
>   
>> I am getting this error when audit viewer starts:
>>
>> # audit-viewer
>> Error reading audit events: No such file or directory.
>>
>> Thinking that perhaps something is pointing to the wrong files, I 
>> attempted to use Window/Change event source.. . Then I get this:
>>     
> <snip>
>   
>>   File "/usr/local/share/audit-viewer/source_dialog.py", line 161, in
>>
>> __source_log_with_rotated_toggled
>>     self.source_log.set_active_iter(it)
>> TypeError: iter should be a GtkTreeIter
>>     
> This crash is a bug in audit-viewer, I'll fix it for the next release.
>   
I look forward to that.
> I'm not 100% sure, but I think the problem is caused by the fact that audit-viewer searches for audit logs in the --prefix subtree (as specified by configure). You can verify the used path by running (strings /your/prefix/libexec/audit-viewer-server-real |grep /log/audit); If it is not /var/log/audit, you'll need to rebuild audit-viewer, specifying --localstatedir=/var .
>   
You are right, the path was /usr/local/var/log/audit.  Once I recompiled 
with this change everything seems to be working.  Does this default of 
--prefix subree make sense in any situation?  I ask because perhaps a 
default of /var would more often produce the correct result.
> I'll document the necessity to use --localstatedir.
>
> Thank you,
>     Mirek
>   
Thank you for taking the time to lead me through all of this.  I think I 
am on my way now.

Dan

Re: audit-viewer

[Miloslav Trmac]

Hello,
----- "Dan Gruhn" <Dan.Gruhn@GroupW.com> wrote:
> You are right, the path was /usr/local/var/log/audit.  Once I recompiled 
> with this change everything seems to be working.  Does this default of
> --prefix subree make sense in any situation?  I ask because perhaps a
> default of /var would more often produce the correct result.
I personally use a different prefix for development and installation without root privileges - but I could of course use an extra option for that.

In general, I don't think overriding localstatedir in audit-viewer is worth it.  It violates user's expectations about ./configure behavior, and autoconf doesn't offer a clean way to override it anyway.  After all, most users should (eventually) rely on their distribution to package audit-viewer for them.
    Mirek

audit-viewer

[Dan Gruhn]

Seeing the recommendation of audit-viewer I downloaded it to give it a try.

I have audit-viewer-0.4 and get the following error from "make install"

Byte-compiling python modules...
client.py dialog_base.py event_dialog.py event_source.py filters.py 
format_versions.py list_properties.py list_tab.py  File 
"/usr/local/share/audit-viewer/list_tab.py", line 558
    store_data[column + 1] = l.pop(0) if l else ''
                                       ^
SyntaxError: invalid syntax


Is it just me or should I try the 0.3 version?

Dan

Re: audit-viewer

[Steve Grubb]

On Thursday 19 February 2009 04:09:16 pm Dan Gruhn wrote:
> I have audit-viewer-0.4 and get the following error from "make install"
>
> Byte-compiling python modules...
> client.py dialog_base.py event_dialog.py event_source.py filters.py
> format_versions.py list_properties.py list_tab.py  File
> "/usr/local/share/audit-viewer/list_tab.py", line 558
>     store_data[column + 1] = l.pop(0) if l else ''

I believe it was developed for python 2.5+ and RHEL5 uses python 2.4. Mirek 
has backported it to the older libraries and maybe he can make the srpms 
available sometime.

-Steve