-
Notifications
You must be signed in to change notification settings - Fork 31
SPEC Audit Event Parsing Library
An audit event is all records that have the same host (node), timestamp, and serial number. Each event on a host (node) has a unique timestamp and serial number. An event is composed of multiple records which have information about different aspects of an audit event. All events contain information pertaining to where something happened (node), when it happened, what did it (subject), what was done, to what (object), and the result of the action. Each record is denoted by a type which indicates what fields will follow. Information in the fields are held by a name/value pair that contains an '=' between them. Each field is separated from one another by a space.
All functions that begin with ausearch are related to searching for a subset of events based on certain criteria. All functions that begin with auparse are used to access events, records, and fields sequentially and without regard to any search options that may be in effect. All functions return 1 on success and 0 on failure unless otherwise noted. Where the return type is a char pointer, NULL will indicate failure. The data structures will be hidden from the external application. Access to fields is a name/value style. You access the fields through functions that either return a pointer to a zero-terminated array of ASCII characters or integral values. Every function (except auparse_init) takes a parameter, au, which is the internal state information for the current query.
The ausearch_ functions will select records in its search results based on operators used for matching name/value pairs. For fields that are numeric, the following mathematical operators are allowed: =,!=,>,=>,<,<=. The field is converted to a number before matching is done.
For fields that are non-numeric, the operators in use will be:
- = - The string completely matches
- != - The string does not match
- ~ - A substring match is done
- <regex> - Regular expression is used
Fields names in a record should be consistent so that the parser can make sense of the value associated with a field. When writing events, always use a known field name and don't make one up if at all possible. The value associated with the field needs to have the same formatting as listed here or translation can error. The following list enumerates known field names:
a? - numeric, the arguments to a syscall
acct - encoded, a user's account name
addr - the remote address that the user is connecting from
arch - numeric, the elf architecture flags
argc - numeric, the number of arguments to an execve syscall
audit_backlog_limit - numeric, audit system's backlog queue size
audit_enabled - numeric, audit systems's enable/disable status
audit_failure - numeric, audit system's failure mode
auid - numeric, login user id
banners - alphanumeric, banners used on printed page
capability - numeric, posix capabilities
cap_fi - numeric, file inherited capability map
cap_fp - numeric, file permitted capability map
cap_fver - numeric, file system capabilities version number
cap_pe - numeric, process effective capability map
cap_pi - numeric, process inherited capability map
cap_pp - numeric, process permitted capability map
cipher - alphanumeric, name of crypto cipher selected
code - numeric, seccomp action code
comm - encoded, command line program name
cmd - encoded, command being executed
cwd - encoded, the current working directory
data - encoded, TTY text
default-context - alphanumeric, default MAC context
dev - numeric, in path records, major and minor for device
dev - in avc records, device name as found in /dev
device - encoded, device name
dir - encoded, directory name
direction - alphanumeric, direction of crypto operation
egid - numeric, effective group id
enforcing - numeric, new MAC enforcement status
entries - numeric, number of entries in the netfilter table
euid - numeric, effective user id
exe - encoded, executable name
exit - numeric, syscall exit code
family - numeric, netfilter protocol
fd - numeric, file descriptor number
file - encoded, file name
flags - numeric, mmap syscall flags
fe - numeric, file assigned effective capability map
fi - numeric, file assigned inherited capability map
fp - numeric, file assigned permitted capability map
fp - alphanumeric, crypto key finger print
format - alphanumeric, audit log's format
fsgid - numeric, file system group id
fsuid - numeric, file system user id
fver - numeric, file system capabilities version number
gid - numeric, group id
hostname - alphanumeric, the hostname that the user is connecting from
icmp_type - numeric, type of icmp message
id - numeric, during account changes, the user id of the account
igid - numeric, ipc object's group id
img-ctx - alphanumeric, the vm's disk image context string
ip - alphanumeric, network address of a printer
inode - numeric, inode number
inode_gid - numeric, group id of the inode's owner
inode_uid - numeric, user id of the inode's owner
item - numeric, which item is being recorded
items - numeric, the number of path records in the event
iuid - numeric, ipc object's user id
kernel - alphanumeric, kernel's version number
key - encoded, key assigned from triggered audit rule
kind - alphabet, server or client in crypto operation
ksize - numeric, key size for crypto operation
laddr - alphanumeric, local network address used in crypto session
lport - alphanumeric, local network port used in crypto session
list - numeric, the audit system's filter list number
mac - alphanumeric, crypto MAC algorithm selected
mode - numeric, mode flags on a file
model - alphanumeric, security model being used for virt
msg - alphanumeric, the payload of the audit record
nargs - numeric, the number of arguments to a socket call
name - encoded, file name in avcs
nametype - alphabet, kind of file operation being referenced
net - alphanumeric, network MAC address
new-disk - encoded, disk being added to vm
new-fs - encoded, file system being added to vm
new_gid - numeric, new group id being assigned
new-level - alphanumeric, new run level
new_pe - numeric, new process effective capability map
new_pi - numeric, new process inherited capability map
new_pp - numeric, new process permitted capability map
new-rng - encoded, device name of rng being added from a vm
obj - alphanumeric, lspp object context string
obj_gid - numeric, group id of object
obj_uid - numeric, user id of object
oflag - numeric, open syscall flags
ogid - numeric, file owner group id
old - numeric, old audit_enabled, audit_backlog, or audit_failure value
old-disk - encoded, disk being removed from vm
old_enforcing - numeric, old MAC enforcement status
old-fs - encode, file system being removed from vm
old-level - alphanumeric, old run level
old_pe - numeric, old process effective capability map
old_pi - numeric, old process inherited capability map
old_pp - numeric, old process permitted capability map
old_prom - numeric, network promiscuity flag
old-rng - encoded, device name of rng being removed from a vm
op - alphanumeric, the operation being performed that is audited
oauid - numeric, process login user id
ocomm - encoded, object's command line name
opid - numeric, object's process id
oses - numeric, object's session id
ouid - numeric, file owner user id
parent - numeric, the inode number of the parent file
path - iencoded, file system path name
per - numeric, linux personality
perm - numeric, the file permission being used
perm_mask - numeric, file permission mask that triggered a watch event
pid - numeric, process id
printer - encoded, printer name
prom - numeric, network promiscuity flag
proctitle - encoded, process title and command line parameters
proto - numeric, network protocol
qbytes - numeric, ipc objects quantity of bytes
range - alphanumeric, user's SE Linux range
rdev - numeric, the device identifier (special files only)
reason - alphanumeric, a text string denoting a reason for the action
res - alphanumeric, result of the audited operation (success/fail)
result - alphanumeric, result of the audited operation (success/fail)
role - alphanumeric, user's SE linux role
rport - numeric, remote port number
saddr - encoded, struct socket address structure
sauid - numeric, sending login user id
scontext - alphanumeric, the subject's context string
selected-context - alphanumeric, new MAC context assigned to session
seuser - alphanumeric, user's SE Linux user acct
ses - numeric, login session id
sgid - numeric, set group id
sig - numeric, signal number
sigev_signo - numeric, signal number
spid - numeric, sending process id
subj- alphanumeric, lspp subject's context string
success - alphanumeric, whether the syscall was successful or not
suid - numeric, sending user id
syscall - numeric, the syscall number in effect when the event occurred
table - alphanumeric, netfilter table name
tclass - alphanumeric, target's object classification
tcontext - alphanumeric, the target's or object's context string
terminal - alphanumeric, terminal name the user is running programs on
tty - alphanumeric, tty interface that the user is running programs on
type - alphanumeric, the audit record's type
uid - numeric, user id
uri - alphanumeric, URI pointing to a printer
user - alphanumeric, account the user claims to be prior to authentication
uuid - alphanumeric, a UUID
ver - numeric, audit daemon's version number
virt - alphanumeric, kind of virtualization being referenced
vm - encoded, virtual machine name
vm-ctx - alphanumeric, the vm's context string
watch - encoded, file name in a watch record
auparse_state_t - is an opaque data type used for maintaining library state.
typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_FILE_ARRAY, AUSOURCE_BUFFER, AUSOURCE_BUFFER_ARRAY } ausource_t;
auparse_state_t *auparse_init(ausource_t source, const void *b, size_t s) - allow init of library. Set data source: logs, file, null terminated array of filenames, buffer, null terminated array of addresses. The pointer 'b' is used to set the file name or pass the buff when those types are given. If buffers are used for the source, the 's' parameter shall denote the buffer size. All buffers should be a uniform size. Unused portions should be filled with 0's to prevent the interpretation of uninitialized memory.
int auparse_reset(auparse_state_t *au) - reset all internal cursors to the beginning.
typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD, AUSEARCH_STOP_FIELD } austop_t;
int ausearch_set_param(auparse_state_t *au, const char *field, const char *op, const char *value, austop_t where) - set search options. The field would be the left hand side of the audit name/value pairs. The op would be the operator described in the section above telling how to match. The value would be the right hand side of the audit field name/value pairs. The where parameter tells the search library where to place the internal cursor when a match is found. It could be on first field of first record, first field of record containing the match, or the field that matches. This function my be called more than once to set a compound search condition. Each search statement passed in forms an "and" with anything else already in the search rule.
int ausearch_clear_param(auparse_state_t *au) - clears any set search rule currently in effect.
int ausearch_next_event(auparse_state_t *au) - traverse to the next event that yields a match based on the given search criteria.
int auparse_next_event(auparse_state_t *au) - traverse to next event. This allows access to time and serial number.
typedef struct
{
time_t sec; // Event seconds
unsigned int milli; // millisecond of the timestamp
unsigned long serial; // Serial number of the event
const char *host; // Machine's name
} event_t;
const event_t *auparse_get_timestamp(auparse_state_t *au) - retrieve time stamp of current record.
time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds of current record.
time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds time of current record. unsigned long auparse_get_serial(auparse_state_t *au) - retrieve serial number of current record.
const char *auparse_get_node(auparse_state_t *au) - retrieve host (node) name of current record.
int auparse_timestamp_compare(event_t *e1, event_t *e2) - compare 2 timestamps. The results are either less than, equal to, or greater than 0 if e1 is found to be respectively less than, equal to, or greater than e2.
int auparse_first_record(auparse_state_t *au) - set iterator to first record in current event.
int auparse_next_record(auparse_state_t *au) - traverse to next record in event. This allows access to the event type.
int auparse_get_type(auparse_state_t *au) - retrieve type of current record.
int auparse_first_field(auparse_state_t *au) - set field pointer to first in current record.
int auparse_next_field(auparse_state_t *au) - traverse the fields in a record.
const char *auparse_get_record_text(auparse_state_t *au) - return a pointer to the full, unparsed record.
const char *auparse_find_field(auparse_state_t *au, const char *name) - find a given field in a event or record. Name is the left hand side of the name/value pair. Returns pointer to the value as ascii text.
const char *auparse_find_field_next(auparse_state_t *au) - find the next occurrence of that field in the same record. Returns pointer to the value as ascii text.
const char *auparse_get_field_name(auparse_state_t *au) - return current field name as a string.
const char *auparse_get_field_str(auparse_state_t *au) - return current field value as a string.
int auparse_get_field_int(auparse_state_t *au) - return current field value as an int.
const char *auparse_interpret_field(auparse_state_t *au) - interpret the current field.
int auparse_destroy(auparse_state_t *au) - free all data structures and close file descriptors.
int main(void)
{
auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL, 0);
if (au == NULL)
exit(1);
if (!ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_EVENT))
exit(1);
while (ausearch_next_event(au)) {
if (auparse_find_field(au, "auid")) {
printf("auid=%s\n", auparse_interpret_field(au));
}
}
auparse_destroy(au);
return 0;
}
All information in this wiki is licensed under the CC BY 4.0 license.