> -----Original Message----- > From: Steve Grubb [mailto:[email protected]] > Sent: Thursday, December 17, 2015 6:51 PM
> > > My problem is I don't know what the proper set of "keys" are and the > > > values they should contain. If my assumptions are correct, is there > > > any documentation on on the key-value pairs and how to format the > > > contents of the message parameter? Based on what I've seen in the > > > audit log file, I would add "acct=<user>" to the contents of the > > > message to reflect the particular authenticated user who issued the REST > API call. > > Well, Steve has published these as a starting point. I'm sure he'll > > chime in when he sees your message. > > > > http://people.redhat.com/sgrubb/audit/audit-events.txt > > http://people.redhat.com/sgrubb/audit/audit-parse.txt > > Thanks for pointing these out, Richard. > > The basic guidance for AUDIT_USYS_CONFIG is to record old and new values. > Typically old values are prefixed with 'old-' and new values are the name of > the field with no prefix. > > Any field that the user could influence the value has to be handled in such a > way as to not allow them to trick the parser if they are malicious. For the > most part, we hex encode those fields and then write some code to label the > fields as encoded so that interpretation can be done later. > > Since your field names may not be official names in the audit system, you > may have to filter illegal characters the user sent during event construction > and fill in spaces with an underscore or dash. Thanks for the feedback and information. It has been very helpful. I've done some testing using a "val" and "old-val" field names with data values encoded by audit_encode_nv_string(...). However, when I try to display the event with "ausearch --interpret ..." neither field's data is decoded back into asci text. So I plan on using the "op", "data" and "euid" fields. Only the data field needs to encoded and ausearch does decode this field correctly. My message text would look like: "op=<op text> data=<encoded data> euid=<uid>" When I was using ausearch I expected to be able to find events by uid using either the "-ua" or "-ue" option that would match the euid field's value, but no matching events were found. Is this expected behavior? The "-I" option did correctly convert the euid into the user name. Scott G. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
