Re: [RFC PATCH] specs: update message dictionary with source column

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com
Subject: Re: [RFC PATCH] specs: update message dictionary with source column
Date: Wed, 26 Jul 2017 23:08:08 -0400	[thread overview]
Message-ID: <2602136.zviYMK8XDS@x2> (raw)
In-Reply-To: <CAHC9VhR82+Dw4t7S4+H-ehR5gSrit2+CRqpTwM0L=5KC_ymmsA@mail.gmail.com>

On Wednesday, July 26, 2017 6:36:24 PM EDT Paul Moore wrote:
> On Tue, Jul 25, 2017 at 10:51 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-07-25 14:14, Paul Moore wrote:
> >> On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs <rgb@redhat.com> 
wrote:
> >> > On 2017-07-24 11:52, Steve Grubb wrote:
> >> >> On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> >> >> > Add a column to indicate the source of the message, including
> >> >> > indicating
> >> >> > whether or not it is related to syscalls.
> >> >> > 
> >> >> > Column name: SOURCE
> >> >> > 
> >> >> > Key:
> >> >> >         CTL     Control messages, usually initiated by audit daemon.
> >> >> 
> >> >> Most of these come from auditctl. Auditd only sends enable and setpid.
> >> > 
> >> > I had considered auditctl as part of the audit daemon, as opposed to
> >> > pam, systemd, vsftpd et al that supply user event messages, though I
> >> > suppose even systemd wants to play audit controller too ...
> >> 
> >> I think trying to chase down which application is trying to manage the
> >> audit subsystem is a losing battle.  In fact, I honestly would
> >> probably shrink this "source" list down to just a few possible values:
> >> kernel, userspace, and control.  I'm not convinced that granularity
> >> below this level is particularly useful, and could be confusing.
> > 
> > So I'm guessing from this comment that you think one column is sufficient?
> 
> To specify the source, yes.  If you want to classify the messages that
> is best done in a second column, IMHO.
> 
> > I'd really like to further break "kernel" down into "syscall" and
> > "independent/autonomous".
> Two thoughts:
> 
> 1) Is this important?  I know this is front in your mind as you are
> dealing with issues around this at the moment, but outside of your
> recent experience I don't see a lot of value in this information, only
> overhead in keeping it updated/correct.

Origination information can be useful. I'd be happy to blog about it to show 
people how to use it.

> 2) Is this "source" information?  I would argue "no" as they all come
> from the kernel.  *If* you feel this is truly important (see thought
> #1) then I would rather see this in a separate column.

They really don't all come from the kernel. They are serialized by the kernel. 
They go through the kernel. But the kernel is not always the _observer_ of an 
action that needs reporting.

-Steve

next prev parent reply	other threads:[~2017-07-27  3:08 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-24 14:40 [RFC PATCH] specs: update message dictionary with source column Richard Guy Briggs
2017-07-24 15:52 ` Steve Grubb
2017-07-25  3:48   ` Richard Guy Briggs
2017-07-25 18:14     ` Paul Moore
2017-07-26  2:51       ` Richard Guy Briggs
2017-07-26 22:36         ` Paul Moore
2017-07-27  3:08           ` Steve Grubb [this message]
2017-07-27 12:01             ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2602136.zviYMK8XDS@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.