From: Paul Moore <pmoore@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com
Subject: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket
Date: Thu, 23 Oct 2014 15:15:32 -0400 [thread overview]
Message-ID: <2086020.WrLrLQSLcj@sifl> (raw)
In-Reply-To: <4673776.vvC06bKdHc@x2>
On Wednesday, October 22, 2014 05:18:37 PM Steve Grubb wrote:
> On Wednesday, October 22, 2014 05:00:03 PM Paul Moore wrote:
> > On Wednesday, October 22, 2014 04:39:49 PM Steve Grubb wrote:
> > > Except you can have problems when the event is like this
> > > auid= pid= old uid= new uid= res=
> >
> > I honestly don't see the problem here.
>
> You'll never get new uid which is really the one you want.
Once again, I honestly don't see the problem here as I think we should be able
to write a parser to handle this.
> > > > I disagree about the priority. Eric disagrees about the priority.
> > > > Richard hasn't explicitly stated he disagrees with the priority but he
> > > > has made several comments on this list about ordering being an issue
> > > > (Richard, my apologies if I am putting words in your mouth).
>
> I thought it was a question of what to put in an event.
It is an issue of code reuse/duplication and how the fixed field ordering is
turning the kernel code into a mess.
> > > What events do people need to change and why? There's not been any
> > > discussion that I know of saying we need to add fields or change them
> > > around.
> >
> > See the earlier comments on Richard's patch.
>
> He's making a new event. Its not changing things around.
See above.
> > > > What would we need to change in the userspace to eliminate the
> > > > reliance on field ordering?
> > >
> > > Many of the utilities. ausyscall & autrace might be the only ones not
> > > affected.
> >
> > So we would need to change ausyscall and autrace, possibly others.
>
> Exactly the opposite, those are about the only ones clean because they are
> the only ones not parsing logs.
Gotcha, I misread that sentence.
> > Do you expect to need any changes to the deamon or audit libraries?
>
> Not the daemon or library directly for this. But if you want to look into
> this, you'll need some really big logs for testing. You'll need at least
> 100MB to see performance variations. If we can keep performance reasonably
> close, I'd take patches. I know it will be slower.
Define "reasonably close". Also, do you have any "really big" logs you use
for testing?
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2014-10-23 19:15 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-07 18:23 [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Richard Guy Briggs
2014-10-07 19:03 ` Eric Paris
2014-10-07 19:39 ` Richard Guy Briggs
2014-10-07 22:06 ` Paul Moore
2014-10-11 15:42 ` Steve Grubb
2014-10-11 20:00 ` Paul Moore
2014-10-21 16:41 ` Richard Guy Briggs
2014-10-21 19:56 ` Steve Grubb
2014-10-21 21:08 ` Richard Guy Briggs
2014-10-21 21:40 ` Steve Grubb
2014-10-29 20:23 ` Richard Guy Briggs
2014-10-21 22:30 ` Eric Paris
2014-10-21 23:14 ` Paul Moore
2014-10-22 1:18 ` Richard Guy Briggs
2014-10-22 14:30 ` Steve Grubb
2014-10-21 22:30 ` Paul Moore
2014-10-22 1:24 ` Richard Guy Briggs
2014-10-22 13:34 ` Paul Moore
2014-10-29 21:09 ` Richard Guy Briggs
2014-10-22 14:34 ` Steve Grubb
2014-10-22 14:25 ` Steve Grubb
2014-10-22 14:30 ` Eric Paris
2014-10-22 14:36 ` Steve Grubb
2014-10-22 15:08 ` Eric Paris
2014-10-22 15:12 ` Eric Paris
2014-10-22 15:51 ` LC Bruzenak
2014-10-22 16:24 ` Steve Grubb
2014-10-22 18:18 ` Eric Paris
2014-10-22 19:36 ` LC Bruzenak
2014-10-22 20:00 ` Steve Grubb
2014-10-22 15:28 ` Paul Moore
2014-10-22 17:56 ` Steve Grubb
2014-10-22 20:06 ` Paul Moore
2014-10-22 20:34 ` LC Bruzenak
2014-10-22 20:44 ` Paul Moore
2014-10-22 21:11 ` LC Bruzenak
2014-10-22 21:29 ` Paul Moore
2014-10-23 14:19 ` LC Bruzenak
2014-10-23 19:08 ` Paul Moore
2014-10-22 20:39 ` Steve Grubb
2014-10-22 21:00 ` Paul Moore
2014-10-22 21:18 ` Steve Grubb
2014-10-23 19:15 ` Paul Moore [this message]
2014-10-30 14:55 ` Richard Guy Briggs
2014-10-30 14:48 ` Typo in AUDIT_FEATURE_CHANGE events [was: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket] Richard Guy Briggs
2014-10-30 15:10 ` Steve Grubb
2014-10-30 15:23 ` Richard Guy Briggs
2014-10-29 21:38 ` [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2086020.WrLrLQSLcj@sifl \
--to=pmoore@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.