From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [RFC PATCH] specs: update message dictionary with source column Date: Mon, 24 Jul 2017 11:52:36 -0400 Message-ID: <2669267.8OsU99eIMk@x2> References: <1500907208-10711-1-git-send-email-rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1500907208-10711-1-git-send-email-rgb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote: > Add a column to indicate the source of the message, including indicating > whether or not it is related to syscalls. > > Column name: SOURCE > Key: > CTL Control messages, usually initiated by audit daemon. Most of these come from auditctl. Auditd only sends enable and setpid. > DEP Deprecated message types > IND Independent kernel message > USR User message > SC System-call related kernel message I think that doing it like this is conflating 2 ideas: origin and class. Origin is user space or kernel. The record class is ctl, dep, simple, and compound events. There are some cases where things could be user space and deprecated, or kernel and deprecated. And by its nature, all user space originating records are simple. To me, there are overlaps in the meaning. If they were split, this would make subsetting easier. For example, I can do a join of this csv file and the audit logs in csv to create an enhanced dataframe. Then I can subset on user records. -Steve