On 03/27/2009 12:41 PM, John Dennis wrote: > Strings should be formatted as strings which means enclosed in double > quotes with standard C99 escaping. > > As it stands now the audit libraries have hard coded lists of every > field the kernel can emit in an audit message. The test for decoding hex > strings is based on whether the field is known to be a string. Field > values *never* currently begin with a quote. If the kernel audit code > was modified to format strings such that they are always enclosed in > quotes the following positive things would occur: > > * No need for hard coded list of which fields are string values. > > * As long as the audit libraries are used for parsing it's fully > backwards compatible (because during parsing you first look for a quote, > if it's there you know its a string value, otherwise fall back to the > legacy logic). > > * Strings are always human readable and it's obvious what is a string. > > * C99 string encoding is trivial and extremely efficient so there is no > burden on the kernel. > > All in all a win/win situation. > > > Hello all, The following is to provoke discussion; this is an issue I would like to see fixed, and I have the time to work on it at present. Attached is a C program that has 2 output formats depending on a global flag (you can change the flag by incrementing argc). I use it to demonstrate 2 options, but if one were picked, it could be used to preserve backwards compatibility via a proc file. The binary format and API are inspired from both an email by Paul Moore: https://www.redhat.com/archives/linux-audit/2008-January/msg00087.html extprot, a self-describing binary encoding: http://eigenclass.org/R2/writings/extprot-extensible-protocols-intro and some SSH buffer management code I wrote. Oh, and it should look suspiciously similar to some current audit code. The text output is basically what John Dennis was looking for, I think. Although I don't quote numbers or do any radix prefixing right now. Anyway. Comments? Anything I should change? Is this worth pursuing at all (does something like this have any hope of being integrated)? $ gcc testformat.c $ ./a.out (binary display via xxd) $ ./a.out q (text output) One last thing: as you can see, the 3rd key/value pair msg='...' has key/value pairs inside it, kind of like the current setup where audit gets stuff from other code. It has a k/v user_said=\'...\'...\' with a quote in the middle. Basically, I would also like to being some sanity to users of audit, even though that may be insanely difficult, as has been mentioned. Perhaps only exposing the k/v interface to them. Something. Anything. Thanks, Joshua Roys