1AUPARSE_INTERPRET_FIELD(3)      Linux Audit API     AUPARSE_INTERPRET_FIELD(3)
2
3
4

NAME

6       auparse_interpret_field, auparse_interpret_realpath,auparse_interpret_sock_family,auparse_interpret_sock_port,auparse_interpret_sock_address - get current field's interpreted value
7

SYNOPSIS

9       #include <auparse.h>
10
11       const char *auparse_interpret_field(auparse_state_t *au);
12       const char *auparse_interpret_realpath(auparse_state_t *au);
13       const char *auparse_interpret_sock_family(auparse_state_t *au);
14       const char *auparse_interpret_sock_port(auparse_state_t *au);
15       const char *auparse_interpret_sock_address(auparse_state_t *au);
16
17

DESCRIPTION

19       auparse_interpret_field  allows  access to the interpreted value in the
20       current field of the current record in the current event. The  returned
21       string  is  escaped using the chosen method. The returned value will be
22       destroyed if you call this function again. If  you  need  to  interpret
23       another  field  and keep this value, you will have to copy it for later
24       use.
25
26       Examples of things that could be interpreted  are:  uid,  gid,  syscall
27       numbers,  exit codes, file paths, socket addresses, permissions, modes,
28       and capabilities. There are likely to be more in the future. If a value
29       cannot be interpreted, its original value is returned.
30
31       auparse_interpret_realpath  is like auparse_interpret_field except that
32       it will call realpath on  the  results  of  gluing  the  cwd  and  file
33       together.  This  also  implies  that it only valid to be called for the
34       file name given in a PATH record.
35
36       auparse_interpret_sock_family will only return the socket  family  por‐
37       tion of a socket address.
38
39       auparse_interpret_sock_port  will  only  return  the  port portion of a
40       socket address. Not all socket families have a port.  If  that  is  the
41       case,  you  will  get a NULL value in which case your best option is to
42       use the normal interpretation function.
43
44       auparse_interpret_sock_address will only return the address portion  of
45       a  socket  address. Not all socket families have an ip address. If that
46       is the case, you will get a NULL value in which case your  best  option
47       is to use the normal interpretation function.
48
49

RETURN VALUE

51       Returns  NULL  if  there  is an error otherwise a pointer to the inter‐
52       preted value.
53
54

SEE ALSO

56       auparse_get_field_int(3),                     auparse_get_field_str(3),
57       auparse_set_escape_mode(3).
58
59

AUTHOR

61       Steve Grubb
62
63
64
65Red Hat                           August 2017       AUPARSE_INTERPRET_FIELD(3)
Impressum