On 5/24/06, Steve Grubb <[EMAIL PROTECTED]> wrote:
On Tuesday 23 May 2006 21:26, Leigh Purdie wrote: > Note the 228387 four from the top, and also after the 228390's. > > Is this something that should be considered a bug? > <snip> It might be, but its not likely to get fixed soon (bigger fish to fry...). I'd work around it for now.
No worries. Easy done, at the expense of a bit of memory, and by sacrificing near-real-time for 'within a few seconds of generation time'.
> Just spaces? How about inverted-commas, embedded newlines (or > Carriage-Returns), or other non-displaying characters that may be > valid on linux (or other) filesystems? This is the function that does it: http://sosdg.org/~coywolf/lxr/source/kernel/audit.c#L819 if (*p == '"' || *p < 0x21 || *p > 0x7f)
Thanks. :)
> Also, anyone have any thoughts on how to translate "eventid 11" to a > more human-readable "execve" in perl without writing my own C Header > translator? Are you meaning how to translate the raw time stamp/serial number ? If so, I'd point to the ausearch source code. I don't program in perl so I may not be the best source of info. The long term plan is to have an audit event parsing library so that external apps do not have to have secret audit format knowledge. The audit parsing library could probably be turned into a perl module as could libaudit. If you wanted to send a patch for that, I'd be happy to integrate it. (Right now we only have python bindings.)
Nah, timestamps are fine. I was thinking of 'syscall=11'. I can translate the value of '11' to 'execve' manually by grepping through /usr/include/asm/unistd.h. However, it's a little harder programatically - particularly when: * The system call numbers are subject to change (though, rarely), and * The numbers might be slightly different for different architectures, and * The header file might include things like: #define __NR_mq_notify (__NR_mq_open+4) .. which makes a quick 'hack' in perl to scan in unistd.h, not worthwhile. So, to rephrase my question slightly - is there a programmatic way to turn syscall=5 into syscall=execve that anyone can suggest? WRT perl, I'm language agnostic. If there's better support for audit in python, I'll switch the code over. (Perl has, historically, been more likely to be installed on server systems that are likely to be running audit though). Regards, Leigh. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
