audit record: create and reuse fields

2019-12-12 16:12:44 +03:00 · 2019-12-12 16:12:44 +03:00 · 98bc48492f
commit 98bc48492f
parent 0aca43be6f
1 changed files with 73 additions and 5 deletions
--- a/auditd-plugin-clickhouse.cpp
+++ b/auditd-plugin-clickhouse.cpp
@ -40,6 +40,8 @@
 #include <boost/property_tree/ini_parser.hpp>
 #include <boost/optional.hpp>

+#include <regex>
+
 #include "auditd-datatypes.hpp"

 int runpipes[2] = { -1, -1 };
@ -134,11 +136,77 @@ void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, voi

 					if (field_name != "node") // skip node since it's already processed
 					{
-						auparse_get_field_name(au);
-						auparse_get_field_type(au);
-						auparse_get_field_str(au);
-						auparse_get_field_int(au);
-						auparse_interpret_field(au);
+						const std::string field_name = auparse_get_field_name(au);
+						auparse_type_t field_type = static_cast<auparse_type_t>(auparse_get_field_type(au));
+
+						std::string database_type;
+						std::string database_name;
+
+						// first search for this field name in datatypes map,
+						// if it's not found there search all elements in datatypes regexp container
+						{
+							auto iter = callback_data->datatypes_map.find(field_name);
+							if (iter != callback_data->datatypes_map.end())
+							{
+								database_type = iter->second;
+								database_name = iter->first;
+							}
+							else
+							{
+								for (auto regexp_iter = callback_data->datatype_regexps_map.begin(); regexp_iter != callback_data->datatype_regexps_map.end(); ++regexp_iter)
+								{
+									std::regex audit_name_regex(std::get<0>(*regexp_iter));
+									if (std::regex_match(field_name, audit_name_regex))
+									{
+										database_type = std::get<1>(*regexp_iter);
+										database_name = std::get<2>(*regexp_iter);
+										break;
+									}
+								}
+							}
+						}
+
+						if (database_type.empty() || database_name.empty())
+						{
+							fprintf(stderr, "Couldn't find matching database entry for field with name \"%s\" and type %d\n", field_name.c_str(), (int) field_type);
+							continue;
+						}
+
+						if (!check_field_type(field_type, database_type, field_name))
+						{
+							fprintf(stderr, "Warning: expected datatype doesn't match database datatype for field \"%s\": expected \"%s\", actual %d\n",
+								field_name.c_str(), database_type.c_str(), field_type);
+						}
+
+						std::shared_ptr<AbstractRecordField> data_ptr;
+
+						// If field is present in audit record, reuse it
+						// and update it's value,
+						// otherwise create new one and register it
+						{
+							auto data_iter = audit_record.fields.find(database_name);
+							if (data_iter != audit_record.fields.end())
+							{
+								data_ptr = data_iter->second;
+							}
+							else
+							{
+								auto iter = callback_data->type_creation_map.find(database_type);
+								if (iter != callback_data->type_creation_map.end())
+								{
+									data_ptr = iter->second(database_name);
+								}
+								else
+								{
+									fprintf(stderr, "Warning: no creator function found for data type \"%s\", using \"string\" as fallback\n", database_type.c_str());
+									data_ptr = InterpretedStringRecordField::createRecord(database_name);
+								}
+
+								audit_record.fields[database_name] = data_ptr;
+							}
+						}
+
+						// TODO: add value
 					}
 				} while (auparse_next_field(au) > 0);
 			}