audit 2.3.6 released

audit 2.3.6 released

[Steve Grubb]

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- Add an option to auditctl to interpret a0 - a3 of syscall rules when listing
- Improve ARM and AARCH64 support (AKASHI Takahiro)
- Add ausearch --checkpoint feature (Burn Alting)
- Add --arch option to ausearch
- Improve too long config line in audispd, auditd, and auparse (#1071580)
- Fix aulast to accept the new AUDIT_LOGIN record format
- Remove clear_config symbol in auparse

I decided to go ahead and release this one because of some concern about an 
unintended symbol popping up in the auparse ABI.

This release include a bunch of new stuff. You can now add a '-i' to the 
listing command of auditctl and it will interpret a0-a3 if they are included 
in any rules.

There is new support for arm as mentioned in an email a few weeks ago. If you 
were compiling --with-armeb, you now need to change to --with-arm. Cross 
compile support is not yet in place.

There is a new checkpoint feature to ausearch. What it does is give you all 
the events that have occurred since the last checkpoint.

Ausearch now has a --arch search option just in case you needed to find i386 
events on a x86_64 machine.

There were a number of cleanups to the code as well.

Please let me know if you run across any problems with this release.

-Steve

Re: audit 2.3.6 released

[Burn Alting]

[-- Attachment #1: Type: text/plain, Size: 2845 bytes --]

Steve,

I have identified an edge case with checkpointing where the recorded
inode is still a valid inode for one of the /var/log/audit.log* files
but the recorded event is not in the identified file.

This is reproduced by performing an ausearch with checkpoint, then
generate sufficient audit events such that all the events in
the /var/log/audit.log* files are more recent than the checkpointed
event. Quite often, one of the audit.log* files will have the same inode
as initially recorded in the ausearch checkpoint file.

A patch is attached that addresses this.

Essentially the modification 
- notices if we identify an audit.log file to use but we do not find the
recorded audit event in that log file and so report an error (to stderr)
and return a new exit code (12)
- allows checkpointing to only use the recorded time from the checkpoint
file for comparisons.

You will note that the patch also contains changes to swig/audit.py.
Although this file is automatically generated, it is part of the 2.3.6
release ... should it be? I also note that a lot of Makefile.in's are
also part of the release. Again, should these automatically generated
files be part of the release?


Rgds

On Fri, 2014-04-11 at 17:17 -0400, Steve Grubb wrote:
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
> soon. The ChangeLog is:
> 
> - Add an option to auditctl to interpret a0 - a3 of syscall rules when listing
> - Improve ARM and AARCH64 support (AKASHI Takahiro)
> - Add ausearch --checkpoint feature (Burn Alting)
> - Add --arch option to ausearch
> - Improve too long config line in audispd, auditd, and auparse (#1071580)
> - Fix aulast to accept the new AUDIT_LOGIN record format
> - Remove clear_config symbol in auparse
> 
> I decided to go ahead and release this one because of some concern about an 
> unintended symbol popping up in the auparse ABI.
> 
> This release include a bunch of new stuff. You can now add a '-i' to the 
> listing command of auditctl and it will interpret a0-a3 if they are included 
> in any rules.
> 
> There is new support for arm as mentioned in an email a few weeks ago. If you 
> were compiling --with-armeb, you now need to change to --with-arm. Cross 
> compile support is not yet in place.
> 
> There is a new checkpoint feature to ausearch. What it does is give you all 
> the events that have occurred since the last checkpoint.
> 
> Ausearch now has a --arch search option just in case you needed to find i386 
> events on a x86_64 machine.
> 
> There were a number of cleanups to the code as well.
> 
> Please let me know if you run across any problems with this release.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


[-- Attachment #2: audit-2.3.6_checkpoint_mods.patch --]
[-- Type: text/x-patch, Size: 56408 bytes --]

diff -Npru audit-2.3.6/docs/ausearch.8 audit-2.3.6_checkpoint_mods/docs/ausearch.8
--- audit-2.3.6/docs/ausearch.8	2014-04-12 05:49:28.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/docs/ausearch.8	2014-04-13 11:15:06.768336618 +1000
@@ -50,6 +50,24 @@ Should the file or checkpointed complete
 will terminate.
 
 .TP
+.BR \-\-checkpoint-time-only
+When checkpointing, this option will only rely upon the checkpoint files' timestamp 
+for comparison. Thus it will ignore inode, device, serial, node and event type.
+
+Essentailly, this is the recovery action should an \fIausearch\fP with a checkpoint fail with an
+exit status of 10, 11 or 12. An appropriate script extract might look like
+.sp
+.nf
+.na
+ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
+_au_status=$?
+if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
+then
+	ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --checkpoint-time-only -i
+fi
+.ad
+.fi
+.TP
 .BR \-e,\  \-\-exit \ \fIexit-code-or-errno\fP
 Search for an event based on the given syscall \fIexit code or errno\fP.
 .TP
@@ -183,6 +201,8 @@ if nothing found, or argument errors or
 bad checkpoint data,
 11
 checkpoint processing error
+12
+checkpoint file corruption
 .SH "SEE ALSO"
 .BR auditd (8),
 .BR pam_loginuid (8).
diff -Npru audit-2.3.6/src/ausearch.c audit-2.3.6_checkpoint_mods/src/ausearch.c
--- audit-2.3.6/src/ausearch.c	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/src/ausearch.c	2014-04-13 11:16:52.723837400 +1000
@@ -153,8 +153,13 @@ int main(int argc, char *argv[])
 			save_ChkPt(checkpt_filename);
 		free_ChkPtMemory();
 		free((void *)checkpt_filename);
+		/*
+ 		 * A checkpoint failure at this point means we failed attempting to
+ 		 * create the checkpoint file and so we will return 11
+ 		 * or we had a corrupted checkpoint file and we will return 12
+ 		 */
 		if (checkpt_failure)
-			rc = 11;
+			rc = ((checkpt_failure & CP_CORRUPTED) == CP_CORRUPTED) ? 12 : 11;
 	}
 
 	lol_clear(&lo);
@@ -236,8 +241,15 @@ static int process_logs(void)
 			 */
 			if (	(sbuf.st_dev == chkpt_input_dev) &&
 				(sbuf.st_ino == chkpt_input_ino) ) {
-				found_chkpt_file = num++;
-				break;
+				/*
+ 				 * If we are ignoing all but time, then we don't stop checking more
+ 				 * files and just let this loop go to completion and hence
+ 				 * we will find the 'oldest' file.
+ 				 */
+				if (!((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
+					found_chkpt_file = num++;
+					break;
+				}
 			}
 		}
 
@@ -245,8 +257,10 @@ static int process_logs(void)
 		snprintf(filename, len, "%s.%d", config.log_file, num);
 	} while (1);
 
-	/* If a checkpoint is loaded but can't find it's file, error */
-	if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1) {
+	/* If a checkpoint is loaded but can't find it's file, and
+ 	 * we are not only checking time, we need to error */
+	if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1
+	&& !((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
 		free(filename);
 		free_config(&config);
 		return 10;
@@ -305,6 +319,7 @@ static int process_logs(void)
  * 	0 	no output
  * 	1	can output
  * 	2	can output but not this event
+ * 	3	we have a time > MAX_EVENT_DELTA_SECS seconds since our checkpoint (which means we have a complete event)
  */
 static int chkpt_output_decision(event * e)
 {
@@ -329,6 +344,25 @@ static int chkpt_output_decision(event *
 		return 1;	/* can output on this event */
 	}
 
+	/*
+	 * If we are ignoring all but event time, then we output if the current
+	 * event's time is greater than or equal to the checkpoint time.
+	 */
+	if ((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY) {
+		if (
+			(chkpt_input_levent.sec < e->sec)
+		||
+			(
+				(chkpt_input_levent.sec == e->sec)
+			&&
+				(chkpt_input_levent.milli <= e->milli)
+			)
+		) {
+			can_output = 1;
+			return 1;   /* can output on this event */
+		}
+	}
+
 	if ( chkpt_input_levent.sec == e->sec &&
 		chkpt_input_levent.milli == e->milli &&
 		chkpt_input_levent.serial == e->serial &&
@@ -349,6 +383,29 @@ static int chkpt_output_decision(event *
  		 * value
  		 */
 	}
+	/*
+	 * If the event we are looking at is more than MAX_EVENT_DELTA_SECS seconds past
+	 * our checkpoint event, then by definition we should have had a complete
+	 * event (ie a complete event is one where at least MAX_EVENT_DELTA_SECS seconds have
+	 * passed since it's last output record).
+	 * This means there is a problem for the checkpoint event should be the last
+	 * complete event in the file. Normally we see this if the checkpoint is very
+	 * old and the system has used the same inode again in an audit log file.
+	 */
+	if (
+		(chkpt_input_levent.sec < e->sec)
+	&&
+		((e->sec - chkpt_input_levent.sec) > MAX_EVENT_DELTA_SECS)
+	) {
+#if 0
+		fprintf(stderr, "%s %lu.%03d:%lu vs %s %lu.%03d:%lu\n",
+			chkpt_input_levent.host ? chkpt_input_levent.host : "-",
+			chkpt_input_levent.sec, chkpt_input_levent.milli, chkpt_input_levent.serial,
+			e->host, e->sec, e->milli, e->serial);
+#endif
+		return 3;
+	}
+
 	return 0;
 }
 
@@ -391,7 +448,19 @@ static int process_log_fd(void)
 						return 4;	/* no memory */
 					}
 				}
+			} else if (do_output == 3) {
+				fprintf(stderr,
+			"Corrupted checkpoint file. Inode match, but newer complete event (%lu.%03d:%lu) found before loaded checkpoint %lu.%03d:%lu\n",
+					entries->e.sec, entries->e.milli, entries->e.serial,
+					chkpt_input_levent.sec, chkpt_input_levent.milli,
+					chkpt_input_levent.serial);
+				checkpt_failure |= CP_CORRUPTED;
+				list_clear(entries);
+				free(entries);
+				fclose(log_fd);
+				return 10;
 			}
+
 			if (just_one) {
 				list_clear(entries);
 				free(entries);
diff -Npru audit-2.3.6/src/ausearch-checkpt.h audit-2.3.6_checkpoint_mods/src/ausearch-checkpt.h
--- audit-2.3.6/src/ausearch-checkpt.h	2014-04-12 05:49:26.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/src/ausearch-checkpt.h	2014-04-13 10:38:07.786096319 +1000
@@ -31,6 +31,7 @@ int load_ChkPt(const char *fn);
 #define	CP_STATFAILED	0x0002	/* stat() call on last log file failed */
 #define	CP_STATUSIO	0x0004	/* cannot open/read/write checkpoint file */
 #define	CP_STATUSBAD	0x0008	/* malformed status checkpoint entries */
+#define	CP_CORRUPTED	0x0010	/* corrupted times in checkpoint file */
 
 extern unsigned checkpt_failure;
 
diff -Npru audit-2.3.6/src/ausearch-common.h audit-2.3.6_checkpoint_mods/src/ausearch-common.h
--- audit-2.3.6/src/ausearch-common.h	2014-04-12 05:49:26.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/src/ausearch-common.h	2014-04-13 10:38:54.898769428 +1000
@@ -28,6 +28,16 @@
 
 #include "ausearch-string.h"
 
+/*
+ * MAX_EVENT_DELTA_SECS is the maximum number of seconds it would take for auditd
+ * and the kernel to emit all an events records.  Thus, when scanning a list of
+ * audit records without any End of Event marker, we can determine if all an event's
+ * records have been collected if we compare that event's time with the time of the
+ * event we are currently scanning. If MAX_EVENT_DELTA_SECS have passed, then the 
+ * event is deamed to be complete and we have all it's records.
+ */
+#define	MAX_EVENT_DELTA_SECS	2
+
 /* Global variables that describe what search is to be performed */
 extern time_t start_time, end_time;
 extern unsigned int event_id;
diff -Npru audit-2.3.6/src/ausearch-lol.c audit-2.3.6_checkpoint_mods/src/ausearch-lol.c
--- audit-2.3.6/src/ausearch-lol.c	2014-04-12 05:49:24.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/src/ausearch-lol.c	2014-04-13 10:39:44.063432907 +1000
@@ -195,8 +195,8 @@ static void check_events(lol *lo, time_t
 	for(i=0;i<=lo->maxi; i++) {
 		lolnode *cur = &lo->array[i];
 		if (cur->status == L_BUILDING) {
-			// If 2 seconds have elapsed, we are done
-			if (cur->l->e.sec + 2 < sec) { 
+			// If MAX_EVENT_DELTA_SECS seconds have elapsed, we are done
+			if (cur->l->e.sec + MAX_EVENT_DELTA_SECS < sec) { 
 				cur->status = L_COMPLETE;
 				ready++;
 			} else if (cur->l->e.type < AUDIT_FIRST_EVENT ||
diff -Npru audit-2.3.6/src/ausearch-options.c audit-2.3.6_checkpoint_mods/src/ausearch-options.c
--- audit-2.3.6/src/ausearch-options.c	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/src/ausearch-options.c	2014-04-13 11:18:30.723319387 +1000
@@ -56,6 +56,11 @@ int event_session_id = -2;
 int event_exit = 0, event_exit_is_set = 0;
 int line_buffered = 0;
 int event_debug = 0;
+/*
+ * Holds command line flag options. See ausearch-options.h
+ */
+unsigned	control_options = 0;
+
 const char *event_key = NULL;
 const char *event_filename = NULL;
 const char *event_exe = NULL;
@@ -83,7 +88,7 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG
 S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH, S_CHECKPOINT_TIME_ONLY };
 
 static struct nv_pair optiontab[] = {
 	{ S_EVENT, "-a" },
@@ -92,6 +97,7 @@ static struct nv_pair optiontab[] = {
 	{ S_COMM, "-c" },
 	{ S_COMM, "--comm" },
 	{ S_CHECKPOINT, "--checkpoint" },
+	{ S_CHECKPOINT_TIME_ONLY, "--checkpoint-time-only" },
 	{ S_DEBUG, "--debug" },
 	{ S_EXIT, "-e" },
 	{ S_EXIT, "--exit" },
@@ -183,6 +189,7 @@ static void usage(void)
 	"\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n"
 	"\t-c,--comm  <Comm name>\t\tsearch based on command line name\n"
 	"\t--checkpoint <checkpoint file>\tsearch from last complete event\n"
+	"\t--checkpoint-time-only\tonly use saved time for comparisions when checkpointing\n"
 	"\t--debug\t\t\tWrite malformed events that are skipped to stderr\n"
 	"\t-e,--exit  <Exit code or errno>\tsearch based on syscall exit code\n"
 	"\t-f,--file  <File name>\t\tsearch based on file name\n"
@@ -1154,6 +1161,9 @@ int check_params(int count, char *vars[]
 			}
 			c++;
 			break;
+		case S_CHECKPOINT_TIME_ONLY:
+			control_options |= OPT_CHKPT_TIME_ONLY;
+			break;
 		default:
 			fprintf(stderr, "%s is an unsupported option\n", 
 				vars[c]);
diff -Npru audit-2.3.6/src/ausearch-options.h audit-2.3.6_checkpoint_mods/src/ausearch-options.h
--- audit-2.3.6/src/ausearch-options.h	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/src/ausearch-options.h	2014-04-13 11:18:01.564478399 +1000
@@ -47,5 +47,12 @@ extern report_t report_format;
 /* Function to process commandline options */
 extern int check_params(int count, char *vars[]);
 
+extern unsigned	control_options;
+
+/*
+ * Flags for control_options
+ */
+#define	OPT_CHKPT_TIME_ONLY	0x0001	/* when checkpointing, only use time for comparisons */
+
 #endif
 
diff -Npru audit-2.3.6/swig/audit.py audit-2.3.6_checkpoint_mods/swig/audit.py
--- audit-2.3.6/swig/audit.py	2014-04-12 05:49:49.000000000 +1000
+++ audit-2.3.6_checkpoint_mods/swig/audit.py	1970-01-01 10:00:00.000000000 +1000
@@ -1,992 +0,0 @@
-# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 2.0.11
-#
-# Do not make changes to this file unless you know what you are doing--modify
-# the SWIG interface file instead.
-
-
-
-
-
-from sys import version_info
-if version_info >= (2,6,0):
-    def swig_import_helper():
-        from os.path import dirname
-        import imp
-        fp = None
-        try:
-            fp, pathname, description = imp.find_module('_audit', [dirname(__file__)])
-        except ImportError:
-            import _audit
-            return _audit
-        if fp is not None:
-            try:
-                _mod = imp.load_module('_audit', fp, pathname, description)
-            finally:
-                fp.close()
-            return _mod
-    _audit = swig_import_helper()
-    del swig_import_helper
-else:
-    import _audit
-del version_info
-try:
-    _swig_property = property
-except NameError:
-    pass # Python < 2.2 doesn't have 'property'.
-def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
-    if (name == "thisown"): return self.this.own(value)
-    if (name == "this"):
-        if type(value).__name__ == 'SwigPyObject':
-            self.__dict__[name] = value
-            return
-    method = class_type.__swig_setmethods__.get(name,None)
-    if method: return method(self,value)
-    if (not static):
-        self.__dict__[name] = value
-    else:
-        raise AttributeError("You cannot add attributes to %s" % self)
-
-def _swig_setattr(self,class_type,name,value):
-    return _swig_setattr_nondynamic(self,class_type,name,value,0)
-
-def _swig_getattr(self,class_type,name):
-    if (name == "thisown"): return self.this.own()
-    method = class_type.__swig_getmethods__.get(name,None)
-    if method: return method(self)
-    raise AttributeError(name)
-
-def _swig_repr(self):
-    try: strthis = "proxy of " + self.this.__repr__()
-    except: strthis = ""
-    return "<%s.%s; %s >" % (self.__class__.__module__, self.__class__.__name__, strthis,)
-
-try:
-    _object = object
-    _newclass = 1
-except AttributeError:
-    class _object : pass
-    _newclass = 0
-
-
-AUDIT_GET = _audit.AUDIT_GET
-AUDIT_SET = _audit.AUDIT_SET
-AUDIT_LIST = _audit.AUDIT_LIST
-AUDIT_ADD = _audit.AUDIT_ADD
-AUDIT_DEL = _audit.AUDIT_DEL
-AUDIT_USER = _audit.AUDIT_USER
-AUDIT_LOGIN = _audit.AUDIT_LOGIN
-AUDIT_WATCH_INS = _audit.AUDIT_WATCH_INS
-AUDIT_WATCH_REM = _audit.AUDIT_WATCH_REM
-AUDIT_WATCH_LIST = _audit.AUDIT_WATCH_LIST
-AUDIT_SIGNAL_INFO = _audit.AUDIT_SIGNAL_INFO
-AUDIT_ADD_RULE = _audit.AUDIT_ADD_RULE
-AUDIT_DEL_RULE = _audit.AUDIT_DEL_RULE
-AUDIT_LIST_RULES = _audit.AUDIT_LIST_RULES
-AUDIT_TRIM = _audit.AUDIT_TRIM
-AUDIT_MAKE_EQUIV = _audit.AUDIT_MAKE_EQUIV
-AUDIT_TTY_GET = _audit.AUDIT_TTY_GET
-AUDIT_TTY_SET = _audit.AUDIT_TTY_SET
-AUDIT_SET_FEATURE = _audit.AUDIT_SET_FEATURE
-AUDIT_GET_FEATURE = _audit.AUDIT_GET_FEATURE
-AUDIT_FEATURE_CHANGE = _audit.AUDIT_FEATURE_CHANGE
-AUDIT_FIRST_USER_MSG = _audit.AUDIT_FIRST_USER_MSG
-AUDIT_USER_AVC = _audit.AUDIT_USER_AVC
-AUDIT_USER_TTY = _audit.AUDIT_USER_TTY
-AUDIT_LAST_USER_MSG = _audit.AUDIT_LAST_USER_MSG
-AUDIT_FIRST_USER_MSG2 = _audit.AUDIT_FIRST_USER_MSG2
-AUDIT_LAST_USER_MSG2 = _audit.AUDIT_LAST_USER_MSG2
-AUDIT_DAEMON_START = _audit.AUDIT_DAEMON_START
-AUDIT_DAEMON_END = _audit.AUDIT_DAEMON_END
-AUDIT_DAEMON_ABORT = _audit.AUDIT_DAEMON_ABORT
-AUDIT_DAEMON_CONFIG = _audit.AUDIT_DAEMON_CONFIG
-AUDIT_SYSCALL = _audit.AUDIT_SYSCALL
-AUDIT_PATH = _audit.AUDIT_PATH
-AUDIT_IPC = _audit.AUDIT_IPC
-AUDIT_SOCKETCALL = _audit.AUDIT_SOCKETCALL
-AUDIT_CONFIG_CHANGE = _audit.AUDIT_CONFIG_CHANGE
-AUDIT_SOCKADDR = _audit.AUDIT_SOCKADDR
-AUDIT_CWD = _audit.AUDIT_CWD
-AUDIT_EXECVE = _audit.AUDIT_EXECVE
-AUDIT_IPC_SET_PERM = _audit.AUDIT_IPC_SET_PERM
-AUDIT_MQ_OPEN = _audit.AUDIT_MQ_OPEN
-AUDIT_MQ_SENDRECV = _audit.AUDIT_MQ_SENDRECV
-AUDIT_MQ_NOTIFY = _audit.AUDIT_MQ_NOTIFY
-AUDIT_MQ_GETSETATTR = _audit.AUDIT_MQ_GETSETATTR
-AUDIT_KERNEL_OTHER = _audit.AUDIT_KERNEL_OTHER
-AUDIT_FD_PAIR = _audit.AUDIT_FD_PAIR
-AUDIT_OBJ_PID = _audit.AUDIT_OBJ_PID
-AUDIT_TTY = _audit.AUDIT_TTY
-AUDIT_EOE = _audit.AUDIT_EOE
-AUDIT_BPRM_FCAPS = _audit.AUDIT_BPRM_FCAPS
-AUDIT_CAPSET = _audit.AUDIT_CAPSET
-AUDIT_MMAP = _audit.AUDIT_MMAP
-AUDIT_NETFILTER_PKT = _audit.AUDIT_NETFILTER_PKT
-AUDIT_NETFILTER_CFG = _audit.AUDIT_NETFILTER_CFG
-AUDIT_SECCOMP = _audit.AUDIT_SECCOMP
-AUDIT_AVC = _audit.AUDIT_AVC
-AUDIT_SELINUX_ERR = _audit.AUDIT_SELINUX_ERR
-AUDIT_AVC_PATH = _audit.AUDIT_AVC_PATH
-AUDIT_MAC_POLICY_LOAD = _audit.AUDIT_MAC_POLICY_LOAD
-AUDIT_MAC_STATUS = _audit.AUDIT_MAC_STATUS
-AUDIT_MAC_CONFIG_CHANGE = _audit.AUDIT_MAC_CONFIG_CHANGE
-AUDIT_MAC_UNLBL_ALLOW = _audit.AUDIT_MAC_UNLBL_ALLOW
-AUDIT_MAC_CIPSOV4_ADD = _audit.AUDIT_MAC_CIPSOV4_ADD
-AUDIT_MAC_CIPSOV4_DEL = _audit.AUDIT_MAC_CIPSOV4_DEL
-AUDIT_MAC_MAP_ADD = _audit.AUDIT_MAC_MAP_ADD
-AUDIT_MAC_MAP_DEL = _audit.AUDIT_MAC_MAP_DEL
-AUDIT_MAC_IPSEC_ADDSA = _audit.AUDIT_MAC_IPSEC_ADDSA
-AUDIT_MAC_IPSEC_DELSA = _audit.AUDIT_MAC_IPSEC_DELSA
-AUDIT_MAC_IPSEC_ADDSPD = _audit.AUDIT_MAC_IPSEC_ADDSPD
-AUDIT_MAC_IPSEC_DELSPD = _audit.AUDIT_MAC_IPSEC_DELSPD
-AUDIT_MAC_IPSEC_EVENT = _audit.AUDIT_MAC_IPSEC_EVENT
-AUDIT_MAC_UNLBL_STCADD = _audit.AUDIT_MAC_UNLBL_STCADD
-AUDIT_MAC_UNLBL_STCDEL = _audit.AUDIT_MAC_UNLBL_STCDEL
-AUDIT_FIRST_KERN_ANOM_MSG = _audit.AUDIT_FIRST_KERN_ANOM_MSG
-AUDIT_LAST_KERN_ANOM_MSG = _audit.AUDIT_LAST_KERN_ANOM_MSG
-AUDIT_ANOM_PROMISCUOUS = _audit.AUDIT_ANOM_PROMISCUOUS
-AUDIT_ANOM_ABEND = _audit.AUDIT_ANOM_ABEND
-AUDIT_ANOM_LINK = _audit.AUDIT_ANOM_LINK
-AUDIT_INTEGRITY_DATA = _audit.AUDIT_INTEGRITY_DATA
-AUDIT_INTEGRITY_METADATA = _audit.AUDIT_INTEGRITY_METADATA
-AUDIT_INTEGRITY_STATUS = _audit.AUDIT_INTEGRITY_STATUS
-AUDIT_INTEGRITY_HASH = _audit.AUDIT_INTEGRITY_HASH
-AUDIT_INTEGRITY_PCR = _audit.AUDIT_INTEGRITY_PCR
-AUDIT_INTEGRITY_RULE = _audit.AUDIT_INTEGRITY_RULE
-AUDIT_KERNEL = _audit.AUDIT_KERNEL
-AUDIT_FILTER_USER = _audit.AUDIT_FILTER_USER
-AUDIT_FILTER_TASK = _audit.AUDIT_FILTER_TASK
-AUDIT_FILTER_ENTRY = _audit.AUDIT_FILTER_ENTRY
-AUDIT_FILTER_WATCH = _audit.AUDIT_FILTER_WATCH
-AUDIT_FILTER_EXIT = _audit.AUDIT_FILTER_EXIT
-AUDIT_FILTER_TYPE = _audit.AUDIT_FILTER_TYPE
-AUDIT_NR_FILTERS = _audit.AUDIT_NR_FILTERS
-AUDIT_FILTER_PREPEND = _audit.AUDIT_FILTER_PREPEND
-AUDIT_NEVER = _audit.AUDIT_NEVER
-AUDIT_POSSIBLE = _audit.AUDIT_POSSIBLE
-AUDIT_ALWAYS = _audit.AUDIT_ALWAYS
-AUDIT_MAX_FIELDS = _audit.AUDIT_MAX_FIELDS
-AUDIT_MAX_KEY_LEN = _audit.AUDIT_MAX_KEY_LEN
-AUDIT_BITMASK_SIZE = _audit.AUDIT_BITMASK_SIZE
-AUDIT_SYSCALL_CLASSES = _audit.AUDIT_SYSCALL_CLASSES
-AUDIT_CLASS_DIR_WRITE = _audit.AUDIT_CLASS_DIR_WRITE
-AUDIT_CLASS_DIR_WRITE_32 = _audit.AUDIT_CLASS_DIR_WRITE_32
-AUDIT_CLASS_CHATTR = _audit.AUDIT_CLASS_CHATTR
-AUDIT_CLASS_CHATTR_32 = _audit.AUDIT_CLASS_CHATTR_32
-AUDIT_CLASS_READ = _audit.AUDIT_CLASS_READ
-AUDIT_CLASS_READ_32 = _audit.AUDIT_CLASS_READ_32
-AUDIT_CLASS_WRITE = _audit.AUDIT_CLASS_WRITE
-AUDIT_CLASS_WRITE_32 = _audit.AUDIT_CLASS_WRITE_32
-AUDIT_CLASS_SIGNAL = _audit.AUDIT_CLASS_SIGNAL
-AUDIT_CLASS_SIGNAL_32 = _audit.AUDIT_CLASS_SIGNAL_32
-AUDIT_UNUSED_BITS = _audit.AUDIT_UNUSED_BITS
-AUDIT_COMPARE_UID_TO_OBJ_UID = _audit.AUDIT_COMPARE_UID_TO_OBJ_UID
-AUDIT_COMPARE_GID_TO_OBJ_GID = _audit.AUDIT_COMPARE_GID_TO_OBJ_GID
-AUDIT_COMPARE_EUID_TO_OBJ_UID = _audit.AUDIT_COMPARE_EUID_TO_OBJ_UID
-AUDIT_COMPARE_EGID_TO_OBJ_GID = _audit.AUDIT_COMPARE_EGID_TO_OBJ_GID
-AUDIT_COMPARE_AUID_TO_OBJ_UID = _audit.AUDIT_COMPARE_AUID_TO_OBJ_UID
-AUDIT_COMPARE_SUID_TO_OBJ_UID = _audit.AUDIT_COMPARE_SUID_TO_OBJ_UID
-AUDIT_COMPARE_SGID_TO_OBJ_GID = _audit.AUDIT_COMPARE_SGID_TO_OBJ_GID
-AUDIT_COMPARE_FSUID_TO_OBJ_UID = _audit.AUDIT_COMPARE_FSUID_TO_OBJ_UID
-AUDIT_COMPARE_FSGID_TO_OBJ_GID = _audit.AUDIT_COMPARE_FSGID_TO_OBJ_GID
-AUDIT_COMPARE_UID_TO_AUID = _audit.AUDIT_COMPARE_UID_TO_AUID
-AUDIT_COMPARE_UID_TO_EUID = _audit.AUDIT_COMPARE_UID_TO_EUID
-AUDIT_COMPARE_UID_TO_FSUID = _audit.AUDIT_COMPARE_UID_TO_FSUID
-AUDIT_COMPARE_UID_TO_SUID = _audit.AUDIT_COMPARE_UID_TO_SUID
-AUDIT_COMPARE_AUID_TO_FSUID = _audit.AUDIT_COMPARE_AUID_TO_FSUID
-AUDIT_COMPARE_AUID_TO_SUID = _audit.AUDIT_COMPARE_AUID_TO_SUID
-AUDIT_COMPARE_AUID_TO_EUID = _audit.AUDIT_COMPARE_AUID_TO_EUID
-AUDIT_COMPARE_EUID_TO_SUID = _audit.AUDIT_COMPARE_EUID_TO_SUID
-AUDIT_COMPARE_EUID_TO_FSUID = _audit.AUDIT_COMPARE_EUID_TO_FSUID
-AUDIT_COMPARE_SUID_TO_FSUID = _audit.AUDIT_COMPARE_SUID_TO_FSUID
-AUDIT_COMPARE_GID_TO_EGID = _audit.AUDIT_COMPARE_GID_TO_EGID
-AUDIT_COMPARE_GID_TO_FSGID = _audit.AUDIT_COMPARE_GID_TO_FSGID
-AUDIT_COMPARE_GID_TO_SGID = _audit.AUDIT_COMPARE_GID_TO_SGID
-AUDIT_COMPARE_EGID_TO_FSGID = _audit.AUDIT_COMPARE_EGID_TO_FSGID
-AUDIT_COMPARE_EGID_TO_SGID = _audit.AUDIT_COMPARE_EGID_TO_SGID
-AUDIT_COMPARE_SGID_TO_FSGID = _audit.AUDIT_COMPARE_SGID_TO_FSGID
-AUDIT_MAX_FIELD_COMPARE = _audit.AUDIT_MAX_FIELD_COMPARE
-AUDIT_PID = _audit.AUDIT_PID
-AUDIT_UID = _audit.AUDIT_UID
-AUDIT_EUID = _audit.AUDIT_EUID
-AUDIT_SUID = _audit.AUDIT_SUID
-AUDIT_FSUID = _audit.AUDIT_FSUID
-AUDIT_GID = _audit.AUDIT_GID
-AUDIT_EGID = _audit.AUDIT_EGID
-AUDIT_SGID = _audit.AUDIT_SGID
-AUDIT_FSGID = _audit.AUDIT_FSGID
-AUDIT_LOGINUID = _audit.AUDIT_LOGINUID
-AUDIT_PERS = _audit.AUDIT_PERS
-AUDIT_ARCH = _audit.AUDIT_ARCH
-AUDIT_MSGTYPE = _audit.AUDIT_MSGTYPE
-AUDIT_SUBJ_USER = _audit.AUDIT_SUBJ_USER
-AUDIT_SUBJ_ROLE = _audit.AUDIT_SUBJ_ROLE
-AUDIT_SUBJ_TYPE = _audit.AUDIT_SUBJ_TYPE
-AUDIT_SUBJ_SEN = _audit.AUDIT_SUBJ_SEN
-AUDIT_SUBJ_CLR = _audit.AUDIT_SUBJ_CLR
-AUDIT_PPID = _audit.AUDIT_PPID
-AUDIT_OBJ_USER = _audit.AUDIT_OBJ_USER
-AUDIT_OBJ_ROLE = _audit.AUDIT_OBJ_ROLE
-AUDIT_OBJ_TYPE = _audit.AUDIT_OBJ_TYPE
-AUDIT_OBJ_LEV_LOW = _audit.AUDIT_OBJ_LEV_LOW
-AUDIT_OBJ_LEV_HIGH = _audit.AUDIT_OBJ_LEV_HIGH
-AUDIT_LOGINUID_SET = _audit.AUDIT_LOGINUID_SET
-AUDIT_DEVMAJOR = _audit.AUDIT_DEVMAJOR
-AUDIT_DEVMINOR = _audit.AUDIT_DEVMINOR
-AUDIT_INODE = _audit.AUDIT_INODE
-AUDIT_EXIT = _audit.AUDIT_EXIT
-AUDIT_SUCCESS = _audit.AUDIT_SUCCESS
-AUDIT_WATCH = _audit.AUDIT_WATCH
-AUDIT_PERM = _audit.AUDIT_PERM
-AUDIT_DIR = _audit.AUDIT_DIR
-AUDIT_FILETYPE = _audit.AUDIT_FILETYPE
-AUDIT_OBJ_UID = _audit.AUDIT_OBJ_UID
-AUDIT_OBJ_GID = _audit.AUDIT_OBJ_GID
-AUDIT_FIELD_COMPARE = _audit.AUDIT_FIELD_COMPARE
-AUDIT_ARG0 = _audit.AUDIT_ARG0
-AUDIT_ARG1 = _audit.AUDIT_ARG1
-AUDIT_ARG2 = _audit.AUDIT_ARG2
-AUDIT_ARG3 = _audit.AUDIT_ARG3
-AUDIT_FILTERKEY = _audit.AUDIT_FILTERKEY
-AUDIT_NEGATE = _audit.AUDIT_NEGATE
-AUDIT_BIT_MASK = _audit.AUDIT_BIT_MASK
-AUDIT_LESS_THAN = _audit.AUDIT_LESS_THAN
-AUDIT_GREATER_THAN = _audit.AUDIT_GREATER_THAN
-AUDIT_NOT_EQUAL = _audit.AUDIT_NOT_EQUAL
-AUDIT_EQUAL = _audit.AUDIT_EQUAL
-AUDIT_BIT_TEST = _audit.AUDIT_BIT_TEST
-AUDIT_LESS_THAN_OR_EQUAL = _audit.AUDIT_LESS_THAN_OR_EQUAL
-AUDIT_GREATER_THAN_OR_EQUAL = _audit.AUDIT_GREATER_THAN_OR_EQUAL
-AUDIT_OPERATORS = _audit.AUDIT_OPERATORS
-Audit_equal = _audit.Audit_equal
-Audit_not_equal = _audit.Audit_not_equal
-Audit_bitmask = _audit.Audit_bitmask
-Audit_bittest = _audit.Audit_bittest
-Audit_lt = _audit.Audit_lt
-Audit_gt = _audit.Audit_gt
-Audit_le = _audit.Audit_le
-Audit_ge = _audit.Audit_ge
-Audit_bad = _audit.Audit_bad
-AUDIT_STATUS_ENABLED = _audit.AUDIT_STATUS_ENABLED
-AUDIT_STATUS_FAILURE = _audit.AUDIT_STATUS_FAILURE
-AUDIT_STATUS_PID = _audit.AUDIT_STATUS_PID
-AUDIT_STATUS_RATE_LIMIT = _audit.AUDIT_STATUS_RATE_LIMIT
-AUDIT_STATUS_BACKLOG_LIMIT = _audit.AUDIT_STATUS_BACKLOG_LIMIT
-AUDIT_FAIL_SILENT = _audit.AUDIT_FAIL_SILENT
-AUDIT_FAIL_PRINTK = _audit.AUDIT_FAIL_PRINTK
-AUDIT_FAIL_PANIC = _audit.AUDIT_FAIL_PANIC
-__AUDIT_ARCH_64BIT = _audit.__AUDIT_ARCH_64BIT
-__AUDIT_ARCH_LE = _audit.__AUDIT_ARCH_LE
-AUDIT_PERM_EXEC = _audit.AUDIT_PERM_EXEC
-AUDIT_PERM_WRITE = _audit.AUDIT_PERM_WRITE
-AUDIT_PERM_READ = _audit.AUDIT_PERM_READ
-AUDIT_PERM_ATTR = _audit.AUDIT_PERM_ATTR
-AUDIT_MESSAGE_TEXT_MAX = _audit.AUDIT_MESSAGE_TEXT_MAX
-class audit_status(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_status, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_status, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["mask"] = _audit.audit_status_mask_set
-    __swig_getmethods__["mask"] = _audit.audit_status_mask_get
-    if _newclass:mask = _swig_property(_audit.audit_status_mask_get, _audit.audit_status_mask_set)
-    __swig_setmethods__["enabled"] = _audit.audit_status_enabled_set
-    __swig_getmethods__["enabled"] = _audit.audit_status_enabled_get
-    if _newclass:enabled = _swig_property(_audit.audit_status_enabled_get, _audit.audit_status_enabled_set)
-    __swig_setmethods__["failure"] = _audit.audit_status_failure_set
-    __swig_getmethods__["failure"] = _audit.audit_status_failure_get
-    if _newclass:failure = _swig_property(_audit.audit_status_failure_get, _audit.audit_status_failure_set)
-    __swig_setmethods__["pid"] = _audit.audit_status_pid_set
-    __swig_getmethods__["pid"] = _audit.audit_status_pid_get
-    if _newclass:pid = _swig_property(_audit.audit_status_pid_get, _audit.audit_status_pid_set)
-    __swig_setmethods__["rate_limit"] = _audit.audit_status_rate_limit_set
-    __swig_getmethods__["rate_limit"] = _audit.audit_status_rate_limit_get
-    if _newclass:rate_limit = _swig_property(_audit.audit_status_rate_limit_get, _audit.audit_status_rate_limit_set)
-    __swig_setmethods__["backlog_limit"] = _audit.audit_status_backlog_limit_set
-    __swig_getmethods__["backlog_limit"] = _audit.audit_status_backlog_limit_get
-    if _newclass:backlog_limit = _swig_property(_audit.audit_status_backlog_limit_get, _audit.audit_status_backlog_limit_set)
-    __swig_setmethods__["lost"] = _audit.audit_status_lost_set
-    __swig_getmethods__["lost"] = _audit.audit_status_lost_get
-    if _newclass:lost = _swig_property(_audit.audit_status_lost_get, _audit.audit_status_lost_set)
-    __swig_setmethods__["backlog"] = _audit.audit_status_backlog_set
-    __swig_getmethods__["backlog"] = _audit.audit_status_backlog_get
-    if _newclass:backlog = _swig_property(_audit.audit_status_backlog_get, _audit.audit_status_backlog_set)
-    def __init__(self): 
-        this = _audit.new_audit_status()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_status
-    __del__ = lambda self : None;
-audit_status_swigregister = _audit.audit_status_swigregister
-audit_status_swigregister(audit_status)
-
-class audit_features(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_features, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_features, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["vers"] = _audit.audit_features_vers_set
-    __swig_getmethods__["vers"] = _audit.audit_features_vers_get
-    if _newclass:vers = _swig_property(_audit.audit_features_vers_get, _audit.audit_features_vers_set)
-    __swig_setmethods__["mask"] = _audit.audit_features_mask_set
-    __swig_getmethods__["mask"] = _audit.audit_features_mask_get
-    if _newclass:mask = _swig_property(_audit.audit_features_mask_get, _audit.audit_features_mask_set)
-    __swig_setmethods__["features"] = _audit.audit_features_features_set
-    __swig_getmethods__["features"] = _audit.audit_features_features_get
-    if _newclass:features = _swig_property(_audit.audit_features_features_get, _audit.audit_features_features_set)
-    __swig_setmethods__["lock"] = _audit.audit_features_lock_set
-    __swig_getmethods__["lock"] = _audit.audit_features_lock_get
-    if _newclass:lock = _swig_property(_audit.audit_features_lock_get, _audit.audit_features_lock_set)
-    def __init__(self): 
-        this = _audit.new_audit_features()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_features
-    __del__ = lambda self : None;
-audit_features_swigregister = _audit.audit_features_swigregister
-audit_features_swigregister(audit_features)
-AUDIT_FEATURE_VERSION = _audit.AUDIT_FEATURE_VERSION
-
-AUDIT_FEATURE_ONLY_UNSET_LOGINUID = _audit.AUDIT_FEATURE_ONLY_UNSET_LOGINUID
-AUDIT_FEATURE_LOGINUID_IMMUTABLE = _audit.AUDIT_FEATURE_LOGINUID_IMMUTABLE
-AUDIT_LAST_FEATURE = _audit.AUDIT_LAST_FEATURE
-class audit_tty_status(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_tty_status, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_tty_status, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["enabled"] = _audit.audit_tty_status_enabled_set
-    __swig_getmethods__["enabled"] = _audit.audit_tty_status_enabled_get
-    if _newclass:enabled = _swig_property(_audit.audit_tty_status_enabled_get, _audit.audit_tty_status_enabled_set)
-    __swig_setmethods__["log_passwd"] = _audit.audit_tty_status_log_passwd_set
-    __swig_getmethods__["log_passwd"] = _audit.audit_tty_status_log_passwd_get
-    if _newclass:log_passwd = _swig_property(_audit.audit_tty_status_log_passwd_get, _audit.audit_tty_status_log_passwd_set)
-    def __init__(self): 
-        this = _audit.new_audit_tty_status()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_tty_status
-    __del__ = lambda self : None;
-audit_tty_status_swigregister = _audit.audit_tty_status_swigregister
-audit_tty_status_swigregister(audit_tty_status)
-
-class audit_rule_data(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_rule_data, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_rule_data, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["flags"] = _audit.audit_rule_data_flags_set
-    __swig_getmethods__["flags"] = _audit.audit_rule_data_flags_get
-    if _newclass:flags = _swig_property(_audit.audit_rule_data_flags_get, _audit.audit_rule_data_flags_set)
-    __swig_setmethods__["action"] = _audit.audit_rule_data_action_set
-    __swig_getmethods__["action"] = _audit.audit_rule_data_action_get
-    if _newclass:action = _swig_property(_audit.audit_rule_data_action_get, _audit.audit_rule_data_action_set)
-    __swig_setmethods__["field_count"] = _audit.audit_rule_data_field_count_set
-    __swig_getmethods__["field_count"] = _audit.audit_rule_data_field_count_get
-    if _newclass:field_count = _swig_property(_audit.audit_rule_data_field_count_get, _audit.audit_rule_data_field_count_set)
-    __swig_setmethods__["mask"] = _audit.audit_rule_data_mask_set
-    __swig_getmethods__["mask"] = _audit.audit_rule_data_mask_get
-    if _newclass:mask = _swig_property(_audit.audit_rule_data_mask_get, _audit.audit_rule_data_mask_set)
-    __swig_setmethods__["fields"] = _audit.audit_rule_data_fields_set
-    __swig_getmethods__["fields"] = _audit.audit_rule_data_fields_get
-    if _newclass:fields = _swig_property(_audit.audit_rule_data_fields_get, _audit.audit_rule_data_fields_set)
-    __swig_setmethods__["values"] = _audit.audit_rule_data_values_set
-    __swig_getmethods__["values"] = _audit.audit_rule_data_values_get
-    if _newclass:values = _swig_property(_audit.audit_rule_data_values_get, _audit.audit_rule_data_values_set)
-    __swig_setmethods__["fieldflags"] = _audit.audit_rule_data_fieldflags_set
-    __swig_getmethods__["fieldflags"] = _audit.audit_rule_data_fieldflags_get
-    if _newclass:fieldflags = _swig_property(_audit.audit_rule_data_fieldflags_get, _audit.audit_rule_data_fieldflags_set)
-    __swig_setmethods__["buflen"] = _audit.audit_rule_data_buflen_set
-    __swig_getmethods__["buflen"] = _audit.audit_rule_data_buflen_get
-    if _newclass:buflen = _swig_property(_audit.audit_rule_data_buflen_get, _audit.audit_rule_data_buflen_set)
-    __swig_setmethods__["buf"] = _audit.audit_rule_data_buf_set
-    __swig_getmethods__["buf"] = _audit.audit_rule_data_buf_get
-    if _newclass:buf = _swig_property(_audit.audit_rule_data_buf_get, _audit.audit_rule_data_buf_set)
-    def __init__(self): 
-        this = _audit.new_audit_rule_data()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_rule_data
-    __del__ = lambda self : None;
-audit_rule_data_swigregister = _audit.audit_rule_data_swigregister
-audit_rule_data_swigregister(audit_rule_data)
-
-class audit_rule(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_rule, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_rule, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["flags"] = _audit.audit_rule_flags_set
-    __swig_getmethods__["flags"] = _audit.audit_rule_flags_get
-    if _newclass:flags = _swig_property(_audit.audit_rule_flags_get, _audit.audit_rule_flags_set)
-    __swig_setmethods__["action"] = _audit.audit_rule_action_set
-    __swig_getmethods__["action"] = _audit.audit_rule_action_get
-    if _newclass:action = _swig_property(_audit.audit_rule_action_get, _audit.audit_rule_action_set)
-    __swig_setmethods__["field_count"] = _audit.audit_rule_field_count_set
-    __swig_getmethods__["field_count"] = _audit.audit_rule_field_count_get
-    if _newclass:field_count = _swig_property(_audit.audit_rule_field_count_get, _audit.audit_rule_field_count_set)
-    __swig_setmethods__["mask"] = _audit.audit_rule_mask_set
-    __swig_getmethods__["mask"] = _audit.audit_rule_mask_get
-    if _newclass:mask = _swig_property(_audit.audit_rule_mask_get, _audit.audit_rule_mask_set)
-    __swig_setmethods__["fields"] = _audit.audit_rule_fields_set
-    __swig_getmethods__["fields"] = _audit.audit_rule_fields_get
-    if _newclass:fields = _swig_property(_audit.audit_rule_fields_get, _audit.audit_rule_fields_set)
-    __swig_setmethods__["values"] = _audit.audit_rule_values_set
-    __swig_getmethods__["values"] = _audit.audit_rule_values_get
-    if _newclass:values = _swig_property(_audit.audit_rule_values_get, _audit.audit_rule_values_set)
-    def __init__(self): 
-        this = _audit.new_audit_rule()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_rule
-    __del__ = lambda self : None;
-audit_rule_swigregister = _audit.audit_rule_swigregister
-audit_rule_swigregister(audit_rule)
-
-_STDINT_H = _audit._STDINT_H
-INT8_MIN = _audit.INT8_MIN
-INT16_MIN = _audit.INT16_MIN
-INT32_MIN = _audit.INT32_MIN
-INT64_MIN = _audit.INT64_MIN
-INT8_MAX = _audit.INT8_MAX
-INT16_MAX = _audit.INT16_MAX
-INT32_MAX = _audit.INT32_MAX
-INT64_MAX = _audit.INT64_MAX
-UINT8_MAX = _audit.UINT8_MAX
-UINT16_MAX = _audit.UINT16_MAX
-UINT32_MAX = _audit.UINT32_MAX
-UINT64_MAX = _audit.UINT64_MAX
-INT_LEAST8_MIN = _audit.INT_LEAST8_MIN
-INT_LEAST16_MIN = _audit.INT_LEAST16_MIN
-INT_LEAST32_MIN = _audit.INT_LEAST32_MIN
-INT_LEAST64_MIN = _audit.INT_LEAST64_MIN
-INT_LEAST8_MAX = _audit.INT_LEAST8_MAX
-INT_LEAST16_MAX = _audit.INT_LEAST16_MAX
-INT_LEAST32_MAX = _audit.INT_LEAST32_MAX
-INT_LEAST64_MAX = _audit.INT_LEAST64_MAX
-UINT_LEAST8_MAX = _audit.UINT_LEAST8_MAX
-UINT_LEAST16_MAX = _audit.UINT_LEAST16_MAX
-UINT_LEAST32_MAX = _audit.UINT_LEAST32_MAX
-UINT_LEAST64_MAX = _audit.UINT_LEAST64_MAX
-INT_FAST8_MIN = _audit.INT_FAST8_MIN
-INT_FAST16_MIN = _audit.INT_FAST16_MIN
-INT_FAST32_MIN = _audit.INT_FAST32_MIN
-INT_FAST64_MIN = _audit.INT_FAST64_MIN
-INT_FAST8_MAX = _audit.INT_FAST8_MAX
-INT_FAST16_MAX = _audit.INT_FAST16_MAX
-INT_FAST32_MAX = _audit.INT_FAST32_MAX
-INT_FAST64_MAX = _audit.INT_FAST64_MAX
-UINT_FAST8_MAX = _audit.UINT_FAST8_MAX
-UINT_FAST16_MAX = _audit.UINT_FAST16_MAX
-UINT_FAST32_MAX = _audit.UINT_FAST32_MAX
-UINT_FAST64_MAX = _audit.UINT_FAST64_MAX
-INTPTR_MIN = _audit.INTPTR_MIN
-INTPTR_MAX = _audit.INTPTR_MAX
-UINTPTR_MAX = _audit.UINTPTR_MAX
-INTMAX_MIN = _audit.INTMAX_MIN
-INTMAX_MAX = _audit.INTMAX_MAX
-UINTMAX_MAX = _audit.UINTMAX_MAX
-PTRDIFF_MIN = _audit.PTRDIFF_MIN
-PTRDIFF_MAX = _audit.PTRDIFF_MAX
-SIG_ATOMIC_MIN = _audit.SIG_ATOMIC_MIN
-SIG_ATOMIC_MAX = _audit.SIG_ATOMIC_MAX
-SIZE_MAX = _audit.SIZE_MAX
-WINT_MIN = _audit.WINT_MIN
-WINT_MAX = _audit.WINT_MAX
-AUDIT_USER_AUTH = _audit.AUDIT_USER_AUTH
-AUDIT_USER_ACCT = _audit.AUDIT_USER_ACCT
-AUDIT_USER_MGMT = _audit.AUDIT_USER_MGMT
-AUDIT_CRED_ACQ = _audit.AUDIT_CRED_ACQ
-AUDIT_CRED_DISP = _audit.AUDIT_CRED_DISP
-AUDIT_USER_START = _audit.AUDIT_USER_START
-AUDIT_USER_END = _audit.AUDIT_USER_END
-AUDIT_USER_CHAUTHTOK = _audit.AUDIT_USER_CHAUTHTOK
-AUDIT_USER_ERR = _audit.AUDIT_USER_ERR
-AUDIT_CRED_REFR = _audit.AUDIT_CRED_REFR
-AUDIT_USYS_CONFIG = _audit.AUDIT_USYS_CONFIG
-AUDIT_USER_LOGIN = _audit.AUDIT_USER_LOGIN
-AUDIT_USER_LOGOUT = _audit.AUDIT_USER_LOGOUT
-AUDIT_ADD_USER = _audit.AUDIT_ADD_USER
-AUDIT_DEL_USER = _audit.AUDIT_DEL_USER
-AUDIT_ADD_GROUP = _audit.AUDIT_ADD_GROUP
-AUDIT_DEL_GROUP = _audit.AUDIT_DEL_GROUP
-AUDIT_DAC_CHECK = _audit.AUDIT_DAC_CHECK
-AUDIT_CHGRP_ID = _audit.AUDIT_CHGRP_ID
-AUDIT_TEST = _audit.AUDIT_TEST
-AUDIT_TRUSTED_APP = _audit.AUDIT_TRUSTED_APP
-AUDIT_USER_SELINUX_ERR = _audit.AUDIT_USER_SELINUX_ERR
-AUDIT_USER_CMD = _audit.AUDIT_USER_CMD
-AUDIT_CHUSER_ID = _audit.AUDIT_CHUSER_ID
-AUDIT_GRP_AUTH = _audit.AUDIT_GRP_AUTH
-AUDIT_SYSTEM_BOOT = _audit.AUDIT_SYSTEM_BOOT
-AUDIT_SYSTEM_SHUTDOWN = _audit.AUDIT_SYSTEM_SHUTDOWN
-AUDIT_SYSTEM_RUNLEVEL = _audit.AUDIT_SYSTEM_RUNLEVEL
-AUDIT_SERVICE_START = _audit.AUDIT_SERVICE_START
-AUDIT_SERVICE_STOP = _audit.AUDIT_SERVICE_STOP
-AUDIT_FIRST_DAEMON = _audit.AUDIT_FIRST_DAEMON
-AUDIT_LAST_DAEMON = _audit.AUDIT_LAST_DAEMON
-AUDIT_DAEMON_RECONFIG = _audit.AUDIT_DAEMON_RECONFIG
-AUDIT_DAEMON_ROTATE = _audit.AUDIT_DAEMON_ROTATE
-AUDIT_DAEMON_RESUME = _audit.AUDIT_DAEMON_RESUME
-AUDIT_DAEMON_ACCEPT = _audit.AUDIT_DAEMON_ACCEPT
-AUDIT_DAEMON_CLOSE = _audit.AUDIT_DAEMON_CLOSE
-AUDIT_FIRST_EVENT = _audit.AUDIT_FIRST_EVENT
-AUDIT_LAST_EVENT = _audit.AUDIT_LAST_EVENT
-AUDIT_FIRST_SELINUX = _audit.AUDIT_FIRST_SELINUX
-AUDIT_LAST_SELINUX = _audit.AUDIT_LAST_SELINUX
-AUDIT_FIRST_APPARMOR = _audit.AUDIT_FIRST_APPARMOR
-AUDIT_LAST_APPARMOR = _audit.AUDIT_LAST_APPARMOR
-AUDIT_AA = _audit.AUDIT_AA
-AUDIT_APPARMOR_AUDIT = _audit.AUDIT_APPARMOR_AUDIT
-AUDIT_APPARMOR_ALLOWED = _audit.AUDIT_APPARMOR_ALLOWED
-AUDIT_APPARMOR_DENIED = _audit.AUDIT_APPARMOR_DENIED
-AUDIT_APPARMOR_HINT = _audit.AUDIT_APPARMOR_HINT
-AUDIT_APPARMOR_STATUS = _audit.AUDIT_APPARMOR_STATUS
-AUDIT_APPARMOR_ERROR = _audit.AUDIT_APPARMOR_ERROR
-AUDIT_FIRST_KERN_CRYPTO_MSG = _audit.AUDIT_FIRST_KERN_CRYPTO_MSG
-AUDIT_LAST_KERN_CRYPTO_MSG = _audit.AUDIT_LAST_KERN_CRYPTO_MSG
-AUDIT_INTEGRITY_FIRST_MSG = _audit.AUDIT_INTEGRITY_FIRST_MSG
-AUDIT_INTEGRITY_LAST_MSG = _audit.AUDIT_INTEGRITY_LAST_MSG
-AUDIT_FIRST_ANOM_MSG = _audit.AUDIT_FIRST_ANOM_MSG
-AUDIT_LAST_ANOM_MSG = _audit.AUDIT_LAST_ANOM_MSG
-AUDIT_ANOM_LOGIN_FAILURES = _audit.AUDIT_ANOM_LOGIN_FAILURES
-AUDIT_ANOM_LOGIN_TIME = _audit.AUDIT_ANOM_LOGIN_TIME
-AUDIT_ANOM_LOGIN_SESSIONS = _audit.AUDIT_ANOM_LOGIN_SESSIONS
-AUDIT_ANOM_LOGIN_ACCT = _audit.AUDIT_ANOM_LOGIN_ACCT
-AUDIT_ANOM_LOGIN_LOCATION = _audit.AUDIT_ANOM_LOGIN_LOCATION
-AUDIT_ANOM_MAX_DAC = _audit.AUDIT_ANOM_MAX_DAC
-AUDIT_ANOM_MAX_MAC = _audit.AUDIT_ANOM_MAX_MAC
-AUDIT_ANOM_AMTU_FAIL = _audit.AUDIT_ANOM_AMTU_FAIL
-AUDIT_ANOM_RBAC_FAIL = _audit.AUDIT_ANOM_RBAC_FAIL
-AUDIT_ANOM_RBAC_INTEGRITY_FAIL = _audit.AUDIT_ANOM_RBAC_INTEGRITY_FAIL
-AUDIT_ANOM_CRYPTO_FAIL = _audit.AUDIT_ANOM_CRYPTO_FAIL
-AUDIT_ANOM_ACCESS_FS = _audit.AUDIT_ANOM_ACCESS_FS
-AUDIT_ANOM_EXEC = _audit.AUDIT_ANOM_EXEC
-AUDIT_ANOM_MK_EXEC = _audit.AUDIT_ANOM_MK_EXEC
-AUDIT_ANOM_ADD_ACCT = _audit.AUDIT_ANOM_ADD_ACCT
-AUDIT_ANOM_DEL_ACCT = _audit.AUDIT_ANOM_DEL_ACCT
-AUDIT_ANOM_MOD_ACCT = _audit.AUDIT_ANOM_MOD_ACCT
-AUDIT_ANOM_ROOT_TRANS = _audit.AUDIT_ANOM_ROOT_TRANS
-AUDIT_FIRST_ANOM_RESP = _audit.AUDIT_FIRST_ANOM_RESP
-AUDIT_LAST_ANOM_RESP = _audit.AUDIT_LAST_ANOM_RESP
-AUDIT_RESP_ANOMALY = _audit.AUDIT_RESP_ANOMALY
-AUDIT_RESP_ALERT = _audit.AUDIT_RESP_ALERT
-AUDIT_RESP_KILL_PROC = _audit.AUDIT_RESP_KILL_PROC
-AUDIT_RESP_TERM_ACCESS = _audit.AUDIT_RESP_TERM_ACCESS
-AUDIT_RESP_ACCT_REMOTE = _audit.AUDIT_RESP_ACCT_REMOTE
-AUDIT_RESP_ACCT_LOCK_TIMED = _audit.AUDIT_RESP_ACCT_LOCK_TIMED
-AUDIT_RESP_ACCT_UNLOCK_TIMED = _audit.AUDIT_RESP_ACCT_UNLOCK_TIMED
-AUDIT_RESP_ACCT_LOCK = _audit.AUDIT_RESP_ACCT_LOCK
-AUDIT_RESP_TERM_LOCK = _audit.AUDIT_RESP_TERM_LOCK
-AUDIT_RESP_SEBOOL = _audit.AUDIT_RESP_SEBOOL
-AUDIT_RESP_EXEC = _audit.AUDIT_RESP_EXEC
-AUDIT_RESP_SINGLE = _audit.AUDIT_RESP_SINGLE
-AUDIT_RESP_HALT = _audit.AUDIT_RESP_HALT
-AUDIT_FIRST_USER_LSPP_MSG = _audit.AUDIT_FIRST_USER_LSPP_MSG
-AUDIT_LAST_USER_LSPP_MSG = _audit.AUDIT_LAST_USER_LSPP_MSG
-AUDIT_USER_ROLE_CHANGE = _audit.AUDIT_USER_ROLE_CHANGE
-AUDIT_ROLE_ASSIGN = _audit.AUDIT_ROLE_ASSIGN
-AUDIT_ROLE_REMOVE = _audit.AUDIT_ROLE_REMOVE
-AUDIT_LABEL_OVERRIDE = _audit.AUDIT_LABEL_OVERRIDE
-AUDIT_LABEL_LEVEL_CHANGE = _audit.AUDIT_LABEL_LEVEL_CHANGE
-AUDIT_USER_LABELED_EXPORT = _audit.AUDIT_USER_LABELED_EXPORT
-AUDIT_USER_UNLABELED_EXPORT = _audit.AUDIT_USER_UNLABELED_EXPORT
-AUDIT_DEV_ALLOC = _audit.AUDIT_DEV_ALLOC
-AUDIT_DEV_DEALLOC = _audit.AUDIT_DEV_DEALLOC
-AUDIT_FS_RELABEL = _audit.AUDIT_FS_RELABEL
-AUDIT_USER_MAC_POLICY_LOAD = _audit.AUDIT_USER_MAC_POLICY_LOAD
-AUDIT_ROLE_MODIFY = _audit.AUDIT_ROLE_MODIFY
-AUDIT_USER_MAC_CONFIG_CHANGE = _audit.AUDIT_USER_MAC_CONFIG_CHANGE
-AUDIT_FIRST_CRYPTO_MSG = _audit.AUDIT_FIRST_CRYPTO_MSG
-AUDIT_CRYPTO_TEST_USER = _audit.AUDIT_CRYPTO_TEST_USER
-AUDIT_CRYPTO_PARAM_CHANGE_USER = _audit.AUDIT_CRYPTO_PARAM_CHANGE_USER
-AUDIT_CRYPTO_LOGIN = _audit.AUDIT_CRYPTO_LOGIN
-AUDIT_CRYPTO_LOGOUT = _audit.AUDIT_CRYPTO_LOGOUT
-AUDIT_CRYPTO_KEY_USER = _audit.AUDIT_CRYPTO_KEY_USER
-AUDIT_CRYPTO_FAILURE_USER = _audit.AUDIT_CRYPTO_FAILURE_USER
-AUDIT_CRYPTO_REPLAY_USER = _audit.AUDIT_CRYPTO_REPLAY_USER
-AUDIT_CRYPTO_SESSION = _audit.AUDIT_CRYPTO_SESSION
-AUDIT_LAST_CRYPTO_MSG = _audit.AUDIT_LAST_CRYPTO_MSG
-AUDIT_FIRST_VIRT_MSG = _audit.AUDIT_FIRST_VIRT_MSG
-AUDIT_VIRT_CONTROL = _audit.AUDIT_VIRT_CONTROL
-AUDIT_VIRT_RESOURCE = _audit.AUDIT_VIRT_RESOURCE
-AUDIT_VIRT_MACHINE_ID = _audit.AUDIT_VIRT_MACHINE_ID
-AUDIT_LAST_VIRT_MSG = _audit.AUDIT_LAST_VIRT_MSG
-AUDIT_KEY_SEPARATOR = _audit.AUDIT_KEY_SEPARATOR
-AUDIT_FILTER_EXCLUDE = _audit.AUDIT_FILTER_EXCLUDE
-AUDIT_FILTER_MASK = _audit.AUDIT_FILTER_MASK
-AUDIT_FILTER_UNSET = _audit.AUDIT_FILTER_UNSET
-EM_ARM = _audit.EM_ARM
-EM_AARCH64 = _audit.EM_AARCH64
-AUDIT_ARCH_AARCH64 = _audit.AUDIT_ARCH_AARCH64
-class audit_sig_info(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_sig_info, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_sig_info, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["uid"] = _audit.audit_sig_info_uid_set
-    __swig_getmethods__["uid"] = _audit.audit_sig_info_uid_get
-    if _newclass:uid = _swig_property(_audit.audit_sig_info_uid_get, _audit.audit_sig_info_uid_set)
-    __swig_setmethods__["pid"] = _audit.audit_sig_info_pid_set
-    __swig_getmethods__["pid"] = _audit.audit_sig_info_pid_get
-    if _newclass:pid = _swig_property(_audit.audit_sig_info_pid_get, _audit.audit_sig_info_pid_set)
-    __swig_setmethods__["ctx"] = _audit.audit_sig_info_ctx_set
-    __swig_getmethods__["ctx"] = _audit.audit_sig_info_ctx_get
-    if _newclass:ctx = _swig_property(_audit.audit_sig_info_ctx_get, _audit.audit_sig_info_ctx_set)
-    def __init__(self): 
-        this = _audit.new_audit_sig_info()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_sig_info
-    __del__ = lambda self : None;
-audit_sig_info_swigregister = _audit.audit_sig_info_swigregister
-audit_sig_info_swigregister(audit_sig_info)
-
-MAX_AUDIT_MESSAGE_LENGTH = _audit.MAX_AUDIT_MESSAGE_LENGTH
-class audit_message(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_message, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_message, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["nlh"] = _audit.audit_message_nlh_set
-    __swig_getmethods__["nlh"] = _audit.audit_message_nlh_get
-    if _newclass:nlh = _swig_property(_audit.audit_message_nlh_get, _audit.audit_message_nlh_set)
-    __swig_setmethods__["data"] = _audit.audit_message_data_set
-    __swig_getmethods__["data"] = _audit.audit_message_data_get
-    if _newclass:data = _swig_property(_audit.audit_message_data_get, _audit.audit_message_data_set)
-    def __init__(self): 
-        this = _audit.new_audit_message()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_message
-    __del__ = lambda self : None;
-audit_message_swigregister = _audit.audit_message_swigregister
-audit_message_swigregister(audit_message)
-
-class audit_reply(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_reply, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_reply, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["type"] = _audit.audit_reply_type_set
-    __swig_getmethods__["type"] = _audit.audit_reply_type_get
-    if _newclass:type = _swig_property(_audit.audit_reply_type_get, _audit.audit_reply_type_set)
-    __swig_setmethods__["len"] = _audit.audit_reply_len_set
-    __swig_getmethods__["len"] = _audit.audit_reply_len_get
-    if _newclass:len = _swig_property(_audit.audit_reply_len_get, _audit.audit_reply_len_set)
-    __swig_setmethods__["nlh"] = _audit.audit_reply_nlh_set
-    __swig_getmethods__["nlh"] = _audit.audit_reply_nlh_get
-    if _newclass:nlh = _swig_property(_audit.audit_reply_nlh_get, _audit.audit_reply_nlh_set)
-    __swig_setmethods__["msg"] = _audit.audit_reply_msg_set
-    __swig_getmethods__["msg"] = _audit.audit_reply_msg_get
-    if _newclass:msg = _swig_property(_audit.audit_reply_msg_get, _audit.audit_reply_msg_set)
-    def __init__(self): 
-        this = _audit.new_audit_reply()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_reply
-    __del__ = lambda self : None;
-audit_reply_swigregister = _audit.audit_reply_swigregister
-audit_reply_swigregister(audit_reply)
-
-class audit_dispatcher_header(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, audit_dispatcher_header, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, audit_dispatcher_header, name)
-    __repr__ = _swig_repr
-    __swig_setmethods__["ver"] = _audit.audit_dispatcher_header_ver_set
-    __swig_getmethods__["ver"] = _audit.audit_dispatcher_header_ver_get
-    if _newclass:ver = _swig_property(_audit.audit_dispatcher_header_ver_get, _audit.audit_dispatcher_header_ver_set)
-    __swig_setmethods__["hlen"] = _audit.audit_dispatcher_header_hlen_set
-    __swig_getmethods__["hlen"] = _audit.audit_dispatcher_header_hlen_get
-    if _newclass:hlen = _swig_property(_audit.audit_dispatcher_header_hlen_get, _audit.audit_dispatcher_header_hlen_set)
-    __swig_setmethods__["type"] = _audit.audit_dispatcher_header_type_set
-    __swig_getmethods__["type"] = _audit.audit_dispatcher_header_type_get
-    if _newclass:type = _swig_property(_audit.audit_dispatcher_header_type_get, _audit.audit_dispatcher_header_type_set)
-    __swig_setmethods__["size"] = _audit.audit_dispatcher_header_size_set
-    __swig_getmethods__["size"] = _audit.audit_dispatcher_header_size_get
-    if _newclass:size = _swig_property(_audit.audit_dispatcher_header_size_get, _audit.audit_dispatcher_header_size_set)
-    def __init__(self): 
-        this = _audit.new_audit_dispatcher_header()
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _audit.delete_audit_dispatcher_header
-    __del__ = lambda self : None;
-audit_dispatcher_header_swigregister = _audit.audit_dispatcher_header_swigregister
-audit_dispatcher_header_swigregister(audit_dispatcher_header)
-
-AUDISP_PROTOCOL_VER = _audit.AUDISP_PROTOCOL_VER
-MACH_X86 = _audit.MACH_X86
-MACH_86_64 = _audit.MACH_86_64
-MACH_IA64 = _audit.MACH_IA64
-MACH_PPC64 = _audit.MACH_PPC64
-MACH_PPC = _audit.MACH_PPC
-MACH_S390X = _audit.MACH_S390X
-MACH_S390 = _audit.MACH_S390
-MACH_ALPHA = _audit.MACH_ALPHA
-MACH_ARM = _audit.MACH_ARM
-MACH_AARCH64 = _audit.MACH_AARCH64
-FAIL_IGNORE = _audit.FAIL_IGNORE
-FAIL_LOG = _audit.FAIL_LOG
-FAIL_TERMINATE = _audit.FAIL_TERMINATE
-MSG_STDERR = _audit.MSG_STDERR
-MSG_SYSLOG = _audit.MSG_SYSLOG
-MSG_QUIET = _audit.MSG_QUIET
-DBG_NO = _audit.DBG_NO
-DBG_YES = _audit.DBG_YES
-
-def set_aumessage_mode(*args):
-  return _audit.set_aumessage_mode(*args)
-set_aumessage_mode = _audit.set_aumessage_mode
-GET_REPLY_BLOCKING = _audit.GET_REPLY_BLOCKING
-GET_REPLY_NONBLOCKING = _audit.GET_REPLY_NONBLOCKING
-
-def audit_open():
-  return _audit.audit_open()
-audit_open = _audit.audit_open
-
-def audit_close(*args):
-  return _audit.audit_close(*args)
-audit_close = _audit.audit_close
-
-def audit_get_reply(*args):
-  return _audit.audit_get_reply(*args)
-audit_get_reply = _audit.audit_get_reply
-
-def audit_getloginuid():
-  return _audit.audit_getloginuid()
-audit_getloginuid = _audit.audit_getloginuid
-
-def audit_setloginuid(*args):
-  return _audit.audit_setloginuid(*args)
-audit_setloginuid = _audit.audit_setloginuid
-
-def audit_detect_machine():
-  return _audit.audit_detect_machine()
-audit_detect_machine = _audit.audit_detect_machine
-
-def audit_determine_machine(*args):
-  return _audit.audit_determine_machine(*args)
-audit_determine_machine = _audit.audit_determine_machine
-
-def audit_name_to_field(*args):
-  return _audit.audit_name_to_field(*args)
-audit_name_to_field = _audit.audit_name_to_field
-
-def audit_field_to_name(*args):
-  return _audit.audit_field_to_name(*args)
-audit_field_to_name = _audit.audit_field_to_name
-
-def audit_name_to_syscall(*args):
-  return _audit.audit_name_to_syscall(*args)
-audit_name_to_syscall = _audit.audit_name_to_syscall
-
-def audit_syscall_to_name(*args):
-  return _audit.audit_syscall_to_name(*args)
-audit_syscall_to_name = _audit.audit_syscall_to_name
-
-def audit_name_to_flag(*args):
-  return _audit.audit_name_to_flag(*args)
-audit_name_to_flag = _audit.audit_name_to_flag
-
-def audit_flag_to_name(*args):
-  return _audit.audit_flag_to_name(*args)
-audit_flag_to_name = _audit.audit_flag_to_name
-
-def audit_name_to_action(*args):
-  return _audit.audit_name_to_action(*args)
-audit_name_to_action = _audit.audit_name_to_action
-
-def audit_action_to_name(*args):
-  return _audit.audit_action_to_name(*args)
-audit_action_to_name = _audit.audit_action_to_name
-
-def audit_name_to_msg_type(*args):
-  return _audit.audit_name_to_msg_type(*args)
-audit_name_to_msg_type = _audit.audit_name_to_msg_type
-
-def audit_msg_type_to_name(*args):
-  return _audit.audit_msg_type_to_name(*args)
-audit_msg_type_to_name = _audit.audit_msg_type_to_name
-
-def audit_name_to_machine(*args):
-  return _audit.audit_name_to_machine(*args)
-audit_name_to_machine = _audit.audit_name_to_machine
-
-def audit_machine_to_name(*args):
-  return _audit.audit_machine_to_name(*args)
-audit_machine_to_name = _audit.audit_machine_to_name
-
-def audit_machine_to_elf(*args):
-  return _audit.audit_machine_to_elf(*args)
-audit_machine_to_elf = _audit.audit_machine_to_elf
-
-def audit_elf_to_machine(*args):
-  return _audit.audit_elf_to_machine(*args)
-audit_elf_to_machine = _audit.audit_elf_to_machine
-
-def audit_operator_to_symbol(*args):
-  return _audit.audit_operator_to_symbol(*args)
-audit_operator_to_symbol = _audit.audit_operator_to_symbol
-
-def audit_name_to_errno(*args):
-  return _audit.audit_name_to_errno(*args)
-audit_name_to_errno = _audit.audit_name_to_errno
-
-def audit_errno_to_name(*args):
-  return _audit.audit_errno_to_name(*args)
-audit_errno_to_name = _audit.audit_errno_to_name
-
-def audit_name_to_ftype(*args):
-  return _audit.audit_name_to_ftype(*args)
-audit_name_to_ftype = _audit.audit_name_to_ftype
-
-def audit_ftype_to_name(*args):
-  return _audit.audit_ftype_to_name(*args)
-audit_ftype_to_name = _audit.audit_ftype_to_name
-
-def audit_number_to_errmsg(*args):
-  return _audit.audit_number_to_errmsg(*args)
-audit_number_to_errmsg = _audit.audit_number_to_errmsg
-
-def audit_request_status(*args):
-  return _audit.audit_request_status(*args)
-audit_request_status = _audit.audit_request_status
-
-def audit_is_enabled(*args):
-  return _audit.audit_is_enabled(*args)
-audit_is_enabled = _audit.audit_is_enabled
-
-def get_auditfail_action(*args):
-  return _audit.get_auditfail_action(*args)
-get_auditfail_action = _audit.get_auditfail_action
-WAIT_NO = _audit.WAIT_NO
-WAIT_YES = _audit.WAIT_YES
-
-def audit_set_pid(*args):
-  return _audit.audit_set_pid(*args)
-audit_set_pid = _audit.audit_set_pid
-
-def audit_set_enabled(*args):
-  return _audit.audit_set_enabled(*args)
-audit_set_enabled = _audit.audit_set_enabled
-
-def audit_set_failure(*args):
-  return _audit.audit_set_failure(*args)
-audit_set_failure = _audit.audit_set_failure
-
-def audit_set_rate_limit(*args):
-  return _audit.audit_set_rate_limit(*args)
-audit_set_rate_limit = _audit.audit_set_rate_limit
-
-def audit_set_backlog_limit(*args):
-  return _audit.audit_set_backlog_limit(*args)
-audit_set_backlog_limit = _audit.audit_set_backlog_limit
-
-def audit_request_rules_list_data(*args):
-  return _audit.audit_request_rules_list_data(*args)
-audit_request_rules_list_data = _audit.audit_request_rules_list_data
-
-def audit_request_signal_info(*args):
-  return _audit.audit_request_signal_info(*args)
-audit_request_signal_info = _audit.audit_request_signal_info
-
-def audit_update_watch_perms(*args):
-  return _audit.audit_update_watch_perms(*args)
-audit_update_watch_perms = _audit.audit_update_watch_perms
-
-def audit_add_watch(*args):
-  return _audit.audit_add_watch(*args)
-audit_add_watch = _audit.audit_add_watch
-
-def audit_add_dir(*args):
-  return _audit.audit_add_dir(*args)
-audit_add_dir = _audit.audit_add_dir
-
-def audit_add_watch_dir(*args):
-  return _audit.audit_add_watch_dir(*args)
-audit_add_watch_dir = _audit.audit_add_watch_dir
-
-def audit_trim_subtrees(*args):
-  return _audit.audit_trim_subtrees(*args)
-audit_trim_subtrees = _audit.audit_trim_subtrees
-
-def audit_make_equivalent(*args):
-  return _audit.audit_make_equivalent(*args)
-audit_make_equivalent = _audit.audit_make_equivalent
-
-def audit_add_rule_data(*args):
-  return _audit.audit_add_rule_data(*args)
-audit_add_rule_data = _audit.audit_add_rule_data
-
-def audit_delete_rule_data(*args):
-  return _audit.audit_delete_rule_data(*args)
-audit_delete_rule_data = _audit.audit_delete_rule_data
-
-def audit_value_needs_encoding(*args):
-  return _audit.audit_value_needs_encoding(*args)
-audit_value_needs_encoding = _audit.audit_value_needs_encoding
-
-def audit_encode_value(*args):
-  return _audit.audit_encode_value(*args)
-audit_encode_value = _audit.audit_encode_value
-
-def audit_encode_nv_string(*args):
-  return _audit.audit_encode_nv_string(*args)
-audit_encode_nv_string = _audit.audit_encode_nv_string
-
-def audit_log_user_message(*args):
-  return _audit.audit_log_user_message(*args)
-audit_log_user_message = _audit.audit_log_user_message
-
-def audit_log_user_comm_message(*args):
-  return _audit.audit_log_user_comm_message(*args)
-audit_log_user_comm_message = _audit.audit_log_user_comm_message
-
-def audit_log_acct_message(*args):
-  return _audit.audit_log_acct_message(*args)
-audit_log_acct_message = _audit.audit_log_acct_message
-
-def audit_log_user_avc_message(*args):
-  return _audit.audit_log_user_avc_message(*args)
-audit_log_user_avc_message = _audit.audit_log_user_avc_message
-
-def audit_log_semanage_message(*args):
-  return _audit.audit_log_semanage_message(*args)
-audit_log_semanage_message = _audit.audit_log_semanage_message
-
-def audit_log_user_command(*args):
-  return _audit.audit_log_user_command(*args)
-audit_log_user_command = _audit.audit_log_user_command
-
-def audit_rule_syscall_data(*args):
-  return _audit.audit_rule_syscall_data(*args)
-audit_rule_syscall_data = _audit.audit_rule_syscall_data
-
-def audit_rule_syscallbyname_data(*args):
-  return _audit.audit_rule_syscallbyname_data(*args)
-audit_rule_syscallbyname_data = _audit.audit_rule_syscallbyname_data
-
-def audit_rule_fieldpair_data(*args):
-  return _audit.audit_rule_fieldpair_data(*args)
-audit_rule_fieldpair_data = _audit.audit_rule_fieldpair_data
-
-def audit_rule_interfield_comp_data(*args):
-  return _audit.audit_rule_interfield_comp_data(*args)
-audit_rule_interfield_comp_data = _audit.audit_rule_interfield_comp_data
-
-def audit_rule_free_data(*args):
-  return _audit.audit_rule_free_data(*args)
-audit_rule_free_data = _audit.audit_rule_free_data
-# This file is compatible with both classic and new-style classes.
-
-

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: audit 2.3.6 released

[Steve Grubb]

On Sunday, April 13, 2014 11:51:45 AM Burn Alting wrote:
> A patch is attached that addresses this.
> 
> Essentially the modification 
> - notices if we identify an audit.log file to use but we do not find the
> recorded audit event in that log file and so report an error (to stderr)
> and return a new exit code (12)
> - allows checkpointing to only use the recorded time from the checkpoint
> file for comparisons.

I'd like to look at these two pieces separately. Let's have 1 bug/feature per 
patch. This way if something looks good, it can be applied immediately. 
Whereas if something needs more discussion, it would block application of the 
part that is good.


> You will note that the patch also contains changes to swig/audit.py.
> Although this file is automatically generated, it is part of the 2.3.6
> release ... should it be?

I suppose it should be. What is in the release is decided by 
automake/autoconf. If there are any mistakes in the Makefile.am file, I would 
take a patch.


> I also note that a lot of Makefile.in's are also part of the release. Again,
> should these automatically generated files be part of the release?

The audit package release is done by a script that pretty much does the 
following (its way more complicated than this, but this is the essential 
pieces):

mkdir audit
cd audit
svn co http://svn.fedorahosted.org/svn/audit/trunk .
./autogen.sh
./configure
make -j 8 distcheck

If it finishes saying it created the tar ball, I send it to rawhide to make 
sure it builds on a current OS. If that is also successful, then I push it to 
my people page and then commit a branch in svn. I also run the development 
audit package on all my systems during the whole development cycle to make 
sure bugs are fixed, nothing new shows up, and its builds under normal 
conditions.

So, anything that is there, is because autotools think it should be there 
unless I made a mistake in a Makefile.am. :-) Patches are welcome.

Thanks,
-Steve

Re: audit 2.3.6 released

[Burn Alting]

[-- Attachment #1: Type: text/plain, Size: 2845 bytes --]

Steve,

Please find attached a patch against 2.3.6 that, when checkpointing,
notices if we identify an audit.log file to use (ie the dev and inode
match) but we find a complete event whose time is > 2 seconds past the
checkpoint time. This should not happen, as the checkpoint event should
be found BEFORE any other complete event for the checkpoint event was
the last displayed complete event in the file. When this occurs, a
message is printed to stderr and ausearch will terminate with an exit
code of 12.


This typically occurs if there is a lot of processing or a long time
occurs between  two invocations of ausearch --checkpoint. Basically, an
inode is reused in one of the new audit.log files.

Rgds

On Mon, 2014-04-14 at 20:11 -0400, Steve Grubb wrote:
> On Sunday, April 13, 2014 11:51:45 AM Burn Alting wrote:
> > A patch is attached that addresses this.
> > 
> > Essentially the modification 
> > - notices if we identify an audit.log file to use but we do not find the
> > recorded audit event in that log file and so report an error (to stderr)
> > and return a new exit code (12)
> > - allows checkpointing to only use the recorded time from the checkpoint
> > file for comparisons.
> 
> I'd like to look at these two pieces separately. Let's have 1 bug/feature per 
> patch. This way if something looks good, it can be applied immediately. 
> Whereas if something needs more discussion, it would block application of the 
> part that is good.
> 
> 
> > You will note that the patch also contains changes to swig/audit.py.
> > Although this file is automatically generated, it is part of the 2.3.6
> > release ... should it be?
> 
> I suppose it should be. What is in the release is decided by 
> automake/autoconf. If there are any mistakes in the Makefile.am file, I would 
> take a patch.
> 
> 
> > I also note that a lot of Makefile.in's are also part of the release. Again,
> > should these automatically generated files be part of the release?
> 
> The audit package release is done by a script that pretty much does the 
> following (its way more complicated than this, but this is the essential 
> pieces):
> 
> mkdir audit
> cd audit
> svn co http://svn.fedorahosted.org/svn/audit/trunk .
> ./autogen.sh
> ./configure
> make -j 8 distcheck
> 
> If it finishes saying it created the tar ball, I send it to rawhide to make 
> sure it builds on a current OS. If that is also successful, then I push it to 
> my people page and then commit a branch in svn. I also run the development 
> audit package on all my systems during the whole development cycle to make 
> sure bugs are fixed, nothing new shows up, and its builds under normal 
> conditions.
> 
> So, anything that is there, is because autotools think it should be there 
> unless I made a mistake in a Makefile.am. :-) Patches are welcome.
> 
> Thanks,
> -Steve


[-- Attachment #2: audit-2.3.6_checkpt_1.patch --]
[-- Type: text/x-patch, Size: 5966 bytes --]

diff -Npru audit-2.3.6/docs/ausearch.8 audit-2.3.6_checkpt_1/docs/ausearch.8
--- audit-2.3.6/docs/ausearch.8	2014-04-12 05:49:28.000000000 +1000
+++ audit-2.3.6_checkpt_1/docs/ausearch.8	2014-04-18 11:20:39.968218322 +1000
@@ -46,8 +46,7 @@ ausearch will load this checkpoint data
 complete events until it matches the checkpointed one. At this point, it will start
 outputting complete events.
 
-Should the file or checkpointed completed event not be found, an error will result and ausearch
-will terminate.
+Should the file or checkpointed completed event not be found, one of a number of errors will result and ausearch will terminate. See \fBEXIT STATUS\fP for detail.
 
 .TP
 .BR \-e,\  \-\-exit \ \fIexit-code-or-errno\fP
@@ -173,16 +172,22 @@ String based matches must match the whol
 .BR \-x ,\  \-\-executable \ \fIexecutable\fP
 Search for an event matching the given \fIexecutable\fP name.
 
-.SS "Exit status:"
-.TP
+.SH "EXIT STATUS"
+.TP 5
 0
 if OK,
+.TP
 1
 if nothing found, or argument errors or minor file acces/read errors,
+.TP
 10
-bad checkpoint data,
+invalid checkpoint data found in checkpoint file,
+.TP
 11
 checkpoint processing error
+.TP
+12
+checkpoint event not found in matching log file
 .SH "SEE ALSO"
 .BR auditd (8),
 .BR pam_loginuid (8).
diff -Npru audit-2.3.6/src/ausearch.c audit-2.3.6_checkpt_1/src/ausearch.c
--- audit-2.3.6/src/ausearch.c	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_1/src/ausearch.c	2014-04-18 10:57:30.743412031 +1000
@@ -153,8 +153,15 @@ int main(int argc, char *argv[])
 			save_ChkPt(checkpt_filename);
 		free_ChkPtMemory();
 		free((void *)checkpt_filename);
-		if (checkpt_failure)
-			rc = 11;
+		/*
+ 		 * A checkpoint failure at this point means either 
+ 		 * - we failed in attempting to create the checkpouint file
+ 		 *   and so we will return 11
+ 		 * - we had a corrupted checkpoint file and so we will return 12
+ 		 */
+		if (checkpt_failure) {
+			rc = ((checkpt_failure & CP_CORRUPTED) == CP_CORRUPTED) ? 12 : 11;
+		}
 	}
 
 	lol_clear(&lo);
@@ -305,6 +312,11 @@ static int process_logs(void)
  * 	0 	no output
  * 	1	can output
  * 	2	can output but not this event
+ * 	3	we have found an event whose time is > MAX_EVENT_DELTA_SECS secs
+ * 		past our checkpoint time, which means this particulare event is complete.
+ * 		This should not happen, for we should have found our checkpoint event
+ * 		before ANY other completed event.
+ *
  */
 static int chkpt_output_decision(event * e)
 {
@@ -345,10 +357,35 @@ static int chkpt_output_decision(event *
 			return 2;	/* output after this event */
 		}
 		/*
- 		 * The nodes are different. Drop through to a no output return
- 		 * value
+ 		 * The nodes are different. Drop through to further checks.
  		 */
 	}
+	/*
+	 * If the event we are looking at is more than MAX_EVENT_DELTA_SECS
+	 * seconds past our checkpoint event, then by definition we should
+	 * have had a complete event (ie a complete event is one where at
+	 * least MAX_EVENT_DELTA_SECS seconds have passed since it's last
+	 * output record).
+	 * This means there is a problem, for the recorded checkpoint event was
+	 * the last complete event in the file when we last processed it.
+	 * Normally we see this if the checkpoint is very old and the system
+	 * has used the same inode again in an audit log file.
+	 */
+	if (
+		(chkpt_input_levent.sec < e->sec)
+	&&
+		((e->sec - chkpt_input_levent.sec) > MAX_EVENT_DELTA_SECS)
+	) {
+#if 0
+		fprintf(stderr, "%s %lu.%03d:%lu vs %s %lu.%03d:%lu\n",
+			chkpt_input_levent.host ? chkpt_input_levent.host : "-",
+			chkpt_input_levent.sec, chkpt_input_levent.milli,
+			chkpt_input_levent.serial,
+			e->host, e->sec, e->milli, e->serial);
+#endif
+		return 3;
+	}
+
 	return 0;
 }
 
@@ -391,6 +428,17 @@ static int process_log_fd(void)
 						return 4;	/* no memory */
 					}
 				}
+			} else if (do_output == 3) {
+				fprintf(stderr,
+			"Corrupted checkpoint file. Inode match, but newer complete event (%lu.%03d:%lu) found before loaded checkpoint %lu.%03d:%lu\n",
+					entries->e.sec, entries->e.milli, entries->e.serial,
+					chkpt_input_levent.sec, chkpt_input_levent.milli,
+					chkpt_input_levent.serial);
+				checkpt_failure |= CP_CORRUPTED;
+				list_clear(entries);
+				free(entries);
+				fclose(log_fd);
+				return 10;
 			}
 			if (just_one) {
 				list_clear(entries);
diff -Npru audit-2.3.6/src/ausearch-checkpt.h audit-2.3.6_checkpt_1/src/ausearch-checkpt.h
--- audit-2.3.6/src/ausearch-checkpt.h	2014-04-12 05:49:26.000000000 +1000
+++ audit-2.3.6_checkpt_1/src/ausearch-checkpt.h	2014-04-18 10:57:58.360753565 +1000
@@ -31,6 +31,7 @@ int load_ChkPt(const char *fn);
 #define	CP_STATFAILED	0x0002	/* stat() call on last log file failed */
 #define	CP_STATUSIO	0x0004	/* cannot open/read/write checkpoint file */
 #define	CP_STATUSBAD	0x0008	/* malformed status checkpoint entries */
+#define	CP_CORRUPTED	0x0010	/* corrupted times in checkpoint file */
 
 extern unsigned checkpt_failure;
 
diff -Npru audit-2.3.6/src/ausearch-common.h audit-2.3.6_checkpt_1/src/ausearch-common.h
--- audit-2.3.6/src/ausearch-common.h	2014-04-12 05:49:26.000000000 +1000
+++ audit-2.3.6_checkpt_1/src/ausearch-common.h	2014-04-18 10:59:16.313185340 +1000
@@ -28,6 +28,17 @@
 
 #include "ausearch-string.h"
 
+/*
+ * MAX_EVENT_DELTA_SECS is the maximum number of seconds it would take for
+ * auditd and the kernel to emit all of an events' records. Thus, when scanning
+ * a list of audit records without any End of Event marker, we can determine if
+ * all an event's records have been collected if we compare that event's time
+ * with the time of the event we are currently scanning. If
+ * MAX_EVENT_DELTA_SECS have passed, then the event is deamed to be complete
+ * and we have all it's records.
+ */
+#define	MAX_EVENT_DELTA_SECS	2
+
 /* Global variables that describe what search is to be performed */
 extern time_t start_time, end_time;
 extern unsigned int event_id;

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: audit 2.3.6 released

[Burn Alting]

[-- Attachment #1: Type: text/plain, Size: 3057 bytes --]

Steve,

Please find a patch against 2.3.6 that, when checkpointing, ausearch
will only use the recorded event time in the checkpoint file when
deciding what complete events to display. Basically, it will display all
complete events found after the event time found in the checkpoint file.

Normally, one would use checkpointing in a periodic script that records
all 'new' audit events. Should certain errors occur, we need to recover
and continue to record 'new' audit events. This option allows use to do
a  'brute force' recovery by finding all events since the last recorded
time we have in the checkpoint file.

For example, the core of a periodic script may contain

  ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
  _aus=$?
  if test ${_aus} -eq 10 -o ${_aus} -eq 11 -o ${_aus} -eq 12
  then
    ausearch --checkpoint /usr/security/auditd_checkpoint.txt \
      --checkpoint-time-only -i
  fi


Rgds

On Mon, 2014-04-14 at 20:11 -0400, Steve Grubb wrote:
> On Sunday, April 13, 2014 11:51:45 AM Burn Alting wrote:
> > A patch is attached that addresses this.
> > 
> > Essentially the modification 
> > - notices if we identify an audit.log file to use but we do not find the
> > recorded audit event in that log file and so report an error (to stderr)
> > and return a new exit code (12)
> > - allows checkpointing to only use the recorded time from the checkpoint
> > file for comparisons.
> 
> I'd like to look at these two pieces separately. Let's have 1 bug/feature per 
> patch. This way if something looks good, it can be applied immediately. 
> Whereas if something needs more discussion, it would block application of the 
> part that is good.
> 
> 
> > You will note that the patch also contains changes to swig/audit.py.
> > Although this file is automatically generated, it is part of the 2.3.6
> > release ... should it be?
> 
> I suppose it should be. What is in the release is decided by 
> automake/autoconf. If there are any mistakes in the Makefile.am file, I would 
> take a patch.
> 
> 
> > I also note that a lot of Makefile.in's are also part of the release. Again,
> > should these automatically generated files be part of the release?
> 
> The audit package release is done by a script that pretty much does the 
> following (its way more complicated than this, but this is the essential 
> pieces):
> 
> mkdir audit
> cd audit
> svn co http://svn.fedorahosted.org/svn/audit/trunk .
> ./autogen.sh
> ./configure
> make -j 8 distcheck
> 
> If it finishes saying it created the tar ball, I send it to rawhide to make 
> sure it builds on a current OS. If that is also successful, then I push it to 
> my people page and then commit a branch in svn. I also run the development 
> audit package on all my systems during the whole development cycle to make 
> sure bugs are fixed, nothing new shows up, and its builds under normal 
> conditions.
> 
> So, anything that is there, is because autotools think it should be there 
> unless I made a mistake in a Makefile.am. :-) Patches are welcome.
> 
> Thanks,
> -Steve


[-- Attachment #2: audit-2.3.6_checkpt_2.patch --]
[-- Type: text/x-patch, Size: 5868 bytes --]

diff -Npru audit-2.3.6/docs/ausearch.8 audit-2.3.6_checkpt_2/docs/ausearch.8
--- audit-2.3.6/docs/ausearch.8	2014-04-12 05:49:28.000000000 +1000
+++ audit-2.3.6_checkpt_2/docs/ausearch.8	2014-04-18 12:27:44.403810759 +1000
@@ -50,6 +50,25 @@ Should the file or checkpointed complete
 will terminate.
 
 .TP
+.BR \-\-checkpoint-time-only
+When checkpointing, this option will only rely upon the checkpoint files'
+timestamp for comparison. Thus it will ignore inode, device, serial, node and
+event type.
+
+Essentailly, this is the recovery action should an \fIausearch\fP with a checkpoint fail with an
+exit status of 10, 11 or 12. An appropriate script extract might look like
+.sp
+.nf
+.na
+  ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
+  _au_status=$?
+  if test ${_au_status} -eq 10 -o ${_au_status} -eq 11 -o ${_au_status} -eq 12
+  then
+    ausearch --checkpoint /usr/security/auditd_checkpoint.txt --checkpoint-time-only -i
+  fi
+.ad
+.fi
+.TP
 .BR \-e,\  \-\-exit \ \fIexit-code-or-errno\fP
 Search for an event based on the given syscall \fIexit code or errno\fP.
 .TP
diff -Npru audit-2.3.6/src/ausearch.c audit-2.3.6_checkpt_2/src/ausearch.c
--- audit-2.3.6/src/ausearch.c	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_2/src/ausearch.c	2014-04-18 11:48:22.459305753 +1000
@@ -236,8 +236,15 @@ static int process_logs(void)
 			 */
 			if (	(sbuf.st_dev == chkpt_input_dev) &&
 				(sbuf.st_ino == chkpt_input_ino) ) {
-				found_chkpt_file = num++;
-				break;
+
+				/*
+ 				 * If we are only using the checkpoint file's time, then
+ 				 * we always want to find the 'oldest' file. Thus we only break if we are NOT using the checkpoint files time only.
+ 				 */
+				if (!((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
+					found_chkpt_file = num++;
+					break;
+				}
 			}
 		}
 
@@ -245,8 +252,10 @@ static int process_logs(void)
 		snprintf(filename, len, "%s.%d", config.log_file, num);
 	} while (1);
 
-	/* If a checkpoint is loaded but can't find it's file, error */
-	if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1) {
+	/* If a checkpoint is loaded but can't find it's file, and
+ 	 * we are not only checking time, we need to error */
+	if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1
+	&& !((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
 		free(filename);
 		free_config(&config);
 		return 10;
@@ -329,6 +338,25 @@ static int chkpt_output_decision(event *
 		return 1;	/* can output on this event */
 	}
 
+	/*
+	 * If we are ignoring all but event time, then we output if the current
+	 * event's time is greater than or equal to the checkpoint time.
+	 */
+	if ((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY) {
+		if (
+			(chkpt_input_levent.sec < e->sec)
+		||
+			(
+				(chkpt_input_levent.sec == e->sec)
+			&&
+				(chkpt_input_levent.milli <= e->milli)
+			)
+		) {
+			can_output = 1;
+			return 1;   /* can output on this event */
+		}
+	}
+
 	if ( chkpt_input_levent.sec == e->sec &&
 		chkpt_input_levent.milli == e->milli &&
 		chkpt_input_levent.serial == e->serial &&
diff -Npru audit-2.3.6/src/ausearch-options.c audit-2.3.6_checkpt_2/src/ausearch-options.c
--- audit-2.3.6/src/ausearch-options.c	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_2/src/ausearch-options.c	2014-04-18 11:53:20.588181948 +1000
@@ -72,6 +72,11 @@ ilist *event_type;
 
 slist *event_node_list = NULL;
 
+/*
+ * Bitmap for command line options. See ausearch-options.h for values.
+ */
+unsigned	control_options	= 0x0;
+
 struct nv_pair {
     int        value;
     const char *name;
@@ -83,7 +88,8 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG
 S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH,
+S_CHECKPOINT_TIME_ONLY };
 
 static struct nv_pair optiontab[] = {
 	{ S_EVENT, "-a" },
@@ -92,6 +98,7 @@ static struct nv_pair optiontab[] = {
 	{ S_COMM, "-c" },
 	{ S_COMM, "--comm" },
 	{ S_CHECKPOINT, "--checkpoint" },
+	{ S_CHECKPOINT_TIME_ONLY, "--checkpoint-time-only" },
 	{ S_DEBUG, "--debug" },
 	{ S_EXIT, "-e" },
 	{ S_EXIT, "--exit" },
@@ -183,6 +190,7 @@ static void usage(void)
 	"\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n"
 	"\t-c,--comm  <Comm name>\t\tsearch based on command line name\n"
 	"\t--checkpoint <checkpoint file>\tsearch from last complete event\n"
+	"\t--checkpoint-time-only\tuse only checkpoint time for comparisions when deciding to display output\n"
 	"\t--debug\t\t\tWrite malformed events that are skipped to stderr\n"
 	"\t-e,--exit  <Exit code or errno>\tsearch based on syscall exit code\n"
 	"\t-f,--file  <File name>\t\tsearch based on file name\n"
@@ -1154,6 +1162,9 @@ int check_params(int count, char *vars[]
 			}
 			c++;
 			break;
+		case S_CHECKPOINT_TIME_ONLY:
+			control_options |= OPT_CHKPT_TIME_ONLY;
+			break;
 		default:
 			fprintf(stderr, "%s is an unsupported option\n", 
 				vars[c]);
diff -Npru audit-2.3.6/src/ausearch-options.h audit-2.3.6_checkpt_2/src/ausearch-options.h
--- audit-2.3.6/src/ausearch-options.h	2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_2/src/ausearch-options.h	2014-04-18 11:50:02.746403340 +1000
@@ -47,5 +47,15 @@ extern report_t report_format;
 /* Function to process commandline options */
 extern int check_params(int count, char *vars[]);
 
+/*
+ * Bitmap for command line options
+ */
+extern unsigned	control_options;
+
+/*
+ * Flags for control_options
+ */
+#define	OPT_CHKPT_TIME_ONLY	0x0001	/* when checkpointing, only use event time for comparisons */ 
+
 #endif
 

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: audit 2.3.6 released

[Steve Grubb]

On Friday, April 18, 2014 12:08:24 PM Burn Alting wrote:
> Please find attached a patch against 2.3.6 that, when checkpointing,
> notices if we identify an audit.log file to use (ie the dev and inode
> match) but we find a complete event whose time is > 2 seconds past the
> checkpoint time. This should not happen, as the checkpoint event should
> be found BEFORE any other complete event for the checkpoint event was
> the last displayed complete event in the file. When this occurs, a
> message is printed to stderr and ausearch will terminate with an exit
> code of 12.
> 
> This typically occurs if there is a lot of processing or a long time
> occurs between  two invocations of ausearch --checkpoint. Basically, an
> inode is reused in one of the new audit.log files.

Thanks for the patch. Applied as commit 950 with a couple formatting changes.

-Steve