After a while, I decided that sometimes there are simply two objects. The admin mounted this(1) to that(2). To address this the auparse library will assign fields to object2 (which is formally called primary2) whenever it sees the following:
1) Files are renamed by using the rename* syscalls
2) Files receive permission or ownership changes
3) Files get symlinked to
4) Disk partitions get mounted to a directory
5) Whenever uid or gid changes as a result of calling set*uid or set*gid syscalls
There may be other cases, so don't consider this the final specification. As I see more events, I'll add to this when necessary. Or if you have some ideas about when there might be a second object, leave a comment or email me.
Because this is a sparse column, it will not be enabled by default when the csv format is selected. To get it, you will need to pass --extra-obj2 to the ausearch program.
If however, you are a software developer, then you can get access to the normalized output via a new auparse_normalize_object_primary2 function. The way that it would be used in practice is similar to any of the other normalizer accessor functions. You would do something like this:
rc = auparse_normalize_object_primary2(au);
if (rc == 1) {
const char *val;
if (auparse_get_field_type(au) == AUPARSE_TYPE_ESCAPED_FILE)
val = auparse_interpret_realpath(au);
else
val = auparse_interpret_field(au);
printf("%s", val);
}
if (rc == 1) {
const char *val;
if (auparse_get_field_type(au) == AUPARSE_TYPE_ESCAPED_FILE)
val = auparse_interpret_realpath(au);
else
val = auparse_interpret_field(au);
printf("%s", val);
}
This new function is not yet available unless you use the source code from github. This will be in the next release, audit-2.8, which should be out in the next week or two. Which reminds me...if you know of any issues in the audit code, now would be a good time to report it.
No comments:
Post a Comment