The auparse library has gained a new API starting around audit-2.7. It wasn't really ready for people to use until around 2.7.2 and still under active development. Its close enough to done that we can start using it in other programs.
In essence, all that is different in using the normalizer is that you call auparse_normalize() and then use a different field accessor function. You do not need to use auparse_find_field().
The field accessor functions come in 2 types. There are some that return a character string, and there are those that return an integer. The ones that return a string are returning metadata about the event and can be used directly. The ones that return an integer only move the auparse internal cursor to the correct field. Then you use the field just as we have in earlier programs by calling auparse_interpret_field(), or auparse_get_field_str(), or auparse_get_field_type(), etc.
The normalizer API will locate and save the field locations for the event's
- subject's primary identity
- subject's secondary identity
- object's primary identity
- object's secondary identity
- second object
It also provides metadata about the
- kind of event
- kind of subject (privileged, daemon, user)
- action being performed by subject
- kind of object
- how the event was being performed
To illustrate how to use the API, consider the following program. Notice that we loop at the event level and do not need to iterate across records or fields.
Compile this program using:
To run the program pass log data to it from stdout
You should see some output similar to this:
You can use this program to look over normalized log data to aid in understanding where each of the parts come from.
OK, so how does this fix up the problem we saw last time? Now all we need to do is call auparse_normalize() and then auparse_normalize_subject_primary(). That's it. No conditional.
One thing to know about the code above is that you won't get the right answer until you run it with the audit-2.7.6 library which should be released soon.(I found a bug in the library and corrected it while writing this example program.)
We have talked about using all of the various pieces of the auparse library. It should simplify writing analytical programs. Next time we will tie everything together with a short little project to send an email when certain events occur. I was going to do it in this post but decided it was long enough already.