Re: audit plugin for AVC and USER_AVC messages

Thu, 15 Aug 2024 12:15:38 -0700 

Hello,

On Thursday, August 15, 2024 2:12:41 PM EDT nupurde...@gmail.com wrote:
> ok Thanks I 'll try the multithreading . I have one more thing that I want
> to acheive using the handle_event
 
> I want to print the logs with different severity based on TYPE and
> permissive set to 1 or 0 . SO my sample code is like below. When I use the
> API "auparse_find_field" , does it move the pointer to the field value
> permanently ?

Yes.

> Do I need to reset the pointer before I pass the "au" to next function ?

It depends on the function. Some automatically rewind and some don't. I 
suppose it doesn't hurt to reset the internal cursor. Couple  points below

> static void handle_event(auparse_state_t *au,
> 151         auparse_cb_event_t cb_event_type, void *user_data)
> 152 {
> 153     int type, num = 0;
> 154 
> 155     if (cb_event_type != AUPARSE_CB_EVENT_READY)
> 156         return;

I should probably get rid of this ^^^ in examples. There is only one state 
for cb_event_type and it is always that state.

> 158     while (auparse_goto_record_num(au, num) > 0) {
> 159         type = auparse_get_type(au);
> 160         const char *perm = auparse_find_field(au, "permissive");

I'd move this ^^^ into the case for AUDIT_USER_AVC so that it doesn't look 
for it in non-avc records. Also, that function will cross record boundaries 
while looking for it. It stops at the end of the event if it can't find it.

> 161         
> 162         switch (type) {
> 163             case AUDIT_AVC:
> 164             case AUDIT_USER_AVC:
> 165                 if (perm) {
> 166                     if (strncmp(perm, "0", 1) == 0) {

could be          if (*perm == '0')

> 167                         dump_avc_critical_record(au);
> 168                     }
> 169                     else if (strncmp(perm, "1", 1) == 0) {
> 170                         dump_avc_info_record(au);
> 171                     }
> 172                 } 
> 173                 else {
> 174                     dump_avc_info_record(au);
> 175                 }
> 176                 break;
> 177             default: 
> 178                 dump_whole_record(au);
> 179                 break;
> 180         }
> 181         num ++;
> 182     }
> 183 }
> _______________________________________________
> Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
> To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io



_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io

Reply via email to