From owner-trustedbsd-audit@FreeBSD.ORG Sun Oct 22 12:17:42 2006 Return-Path: X-Original-To: trustedbsd-audit@FreeBSD.org Delivered-To: trustedbsd-audit@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C866516A40F for ; Sun, 22 Oct 2006 12:17:42 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7713043D58 for ; Sun, 22 Oct 2006 12:17:42 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 1667346B17; Sun, 22 Oct 2006 08:17:42 -0400 (EDT) Date: Sun, 22 Oct 2006 13:17:41 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Martin Voros In-Reply-To: <20061019142114.30659.qmail@web55515.mail.re4.yahoo.com> Message-ID: <20061022131504.V60062@fledge.watson.org> References: <20061019142114.30659.qmail@web55515.mail.re4.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-audit@FreeBSD.org Subject: Re: praudit - xml output patches X-BeenThere: trustedbsd-audit@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2006 12:17:42 -0000 On Thu, 19 Oct 2006, Martin Voros wrote: > finally I found some time and prepared patches which add XML output for > OpenBSM praudit utility and improve audit.log.5 manual page. I made these > patches against OpenBSM 1.0 alpha 12 release. Unfortunately, I can't test 64 > bits tokens and also I couldn't test some other tokens so I call for > testing. Of course all comments and suggestions are welcome. I also added > some token descriptions to audit.log.5 manual page. > > Instructions: > # cd DIR_WITH_OBSM_alpha12 > # patch < xml.patch > # patch < doc.patch This sounds really good! A few high level comments, without having really dug in yet: - Is xml mode exclusive of other modes, such as short? If so, we should check for combined use and print a usage message if the requested use isn't allowed. - Functions mis-spelled in libbsm.h comment. - In general, we should prefix public function names in libbsm with au_, in order to avoid symbol name collisions with applications and other libraries. This should definitely be the case for non-static f unction names, and we should think about also doing it for new static ones. So, for example, the header printing functions. - I wonder if we should be introducing a new au_print_tok_xml() call, since the current API is one we expose to applications and probably shouldn't be changed? Should "short form" and "xml form" be mutually exclusive? Presumably "raw" is still interesting when combined with "xml"? Combining them for internal APIs (and changing them) makes sense and is fine, it's just changing current application interfaces that is undesirable. Mind you, our au_print_tok() appears to be different from the one in Solaris. - Is the patch for audit.log.5 backwards (i.e., the revert patch rather than the apply patch)? It looks good, just backwards, I think. - Is this the same XML format that Solaris's praudit uses, or a different one? Could you produce documentation for the parseable XML format, or at least, notes that someone with nroff clue could convert to a man page for you? Thanks, Robert N M Watson Computer Laboratory University of Cambridge