Date: Sun, 22 Oct 2006 13:17:41 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Martin Voros <martin_voros@yahoo.com> Cc: trustedbsd-audit@FreeBSD.org Subject: Re: praudit - xml output patches Message-ID: <20061022131504.V60062@fledge.watson.org> In-Reply-To: <20061019142114.30659.qmail@web55515.mail.re4.yahoo.com> References: <20061019142114.30659.qmail@web55515.mail.re4.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 19 Oct 2006, Martin Voros wrote: > finally I found some time and prepared patches which add XML output for > OpenBSM praudit utility and improve audit.log.5 manual page. I made these > patches against OpenBSM 1.0 alpha 12 release. Unfortunately, I can't test 64 > bits tokens and also I couldn't test some other tokens so I call for > testing. Of course all comments and suggestions are welcome. I also added > some token descriptions to audit.log.5 manual page. > > Instructions: > # cd DIR_WITH_OBSM_alpha12 > # patch < xml.patch > # patch < doc.patch This sounds really good! A few high level comments, without having really dug in yet: - Is xml mode exclusive of other modes, such as short? If so, we should check for combined use and print a usage message if the requested use isn't allowed. - Functions mis-spelled in libbsm.h comment. - In general, we should prefix public function names in libbsm with au_, in order to avoid symbol name collisions with applications and other libraries. This should definitely be the case for non-static f unction names, and we should think about also doing it for new static ones. So, for example, the header printing functions. - I wonder if we should be introducing a new au_print_tok_xml() call, since the current API is one we expose to applications and probably shouldn't be changed? Should "short form" and "xml form" be mutually exclusive? Presumably "raw" is still interesting when combined with "xml"? Combining them for internal APIs (and changing them) makes sense and is fine, it's just changing current application interfaces that is undesirable. Mind you, our au_print_tok() appears to be different from the one in Solaris. - Is the patch for audit.log.5 backwards (i.e., the revert patch rather than the apply patch)? It looks good, just backwards, I think. - Is this the same XML format that Solaris's praudit uses, or a different one? Could you produce documentation for the parseable XML format, or at least, notes that someone with nroff clue could convert to a man page for you? Thanks, Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061022131504.V60062>