linux-audit-parser 0.2.7

Parser for Linxu Audit logs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

#[cfg(feature = "serde")]
use serde_with::{DeserializeFromStr, SerializeDisplay};
use std::fmt::{self, Debug, Display};
use std::str::{self, FromStr};

use thiserror::Error;

use crate::constants::*;

/// Type of an audit message, corresponding to the `type=…` part of
/// every Linux Audit log line.
///
/// The implementation uses the same 32bit unsigned integer values
/// that are used by the Linux Audit API. Mappings between numeric and
/// symbolic values is generated using CSV retrieved from the [`Linux
/// Audit Project`]'s documentation.
///
/// [`Linux Audit Project`]: https://github.com/linux-audit/audit-documentation
#[derive(PartialEq, Eq, Hash, Default, Clone, Copy)]
#[cfg_attr(feature = "serde", derive(DeserializeFromStr, SerializeDisplay))]
pub struct MessageType(pub u32);

impl Display for MessageType {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match EVENT_NAMES.get(&(self.0)) {
            Some(name) => write!(f, "{name}"),
            None => write!(f, "UNKNOWN[{}]", self.0),
        }
    }
}

impl Debug for MessageType {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match EVENT_NAMES.get(&(self.0)) {
            Some(name) => write!(f, "MessageType({name})"),
            None => write!(f, "MessageType({})", self.0),
        }
    }
}

/// The error type returned by [MessageType::from_str]
#[derive(Debug, Error)]
pub enum ParseMessageTypeError {
    #[error("unknown identifier ({0})")]
    Unknown(String),
    #[error("malformed UNKNOWN[…] string")]
    MalformedUnknown,
    #[error("cannot parse number ({0}): {1}")]
    Number(String, std::num::ParseIntError),
}

impl FromStr for MessageType {
    type Err = ParseMessageTypeError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        if let Some(id) = EVENT_IDS.get(s.as_bytes()) {
            Ok(MessageType(*id))
        } else {
            let number = s
                .strip_prefix("UNKNOWN[")
                .ok_or_else(|| ParseMessageTypeError::Unknown(s.into()))?
                .strip_suffix("]")
                .ok_or(ParseMessageTypeError::MalformedUnknown)?;
            let id = u32::from_str(number)
                .map_err(|e| ParseMessageTypeError::Number(number.into(), e))?;
            Ok(MessageType(id))
        }
    }
}

include!(concat!(env!("OUT_DIR"), "/message_type_impl.rs"));

impl MessageType {
    /// True for messages that are part of multi-part events from
    /// kernel-space.
    ///
    /// This mimics auparse logic as of version 3.0.6
    pub fn is_multipart(&self) -> bool {
        (1300..2100).contains(&self.0) || self == &MessageType::LOGIN
    }
}