Note that I believe with type=EXECVE audit logs, the parameter names are
constant (e.g. it's always executable, a0, a1, etc.). If you know all the
parameter names, which I think we do in this case, we can use tags/initiators to
select the correct element which would allow you to get something like the first
representation.
On 2024-11-04 12:01 PM, Mike Beckerle wrote:
You cannot convert data values to element names in DFDL. The best you could do
would be something like:
<program-call>
<elecutable>/bin/foo</executable>
<arg><name>a0</name><value>arg0</value></arg>
<arg><name>a1</name><value>arg1</value></arg>
...
</program-call>
On Mon, Nov 4, 2024 at 11:47 AM simon godden <[email protected]
<mailto:[email protected]>> wrote:
I have linux auditd input representing a program call and its
arguments with data such as this:
type=EXECVE executable=/bin/foo a0=arg1 a1=arg2 a2=arg3
where the number of arguments is arbitrary
Is it possible to parse this to a representation such as
<program-call>
<executable>/bin/foo</executable>
<a0>arg1</a0>
<a1>arg2</a1>
<a2>arg3</a2>
</program-call>
in a way that will also unparse to the original content, and bearing
in mind that the number of arguments is arbitrary (although we would
impose a suitable maximum).
--
Simon Godden
