From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tomas Mraz <tmraz@redhat.com>
Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Date: Tue, 04 Mar 2008 21:36:30 +0100
Message-ID: <1204662990.12783.35.camel@vespa.frost.loc>
References: <47CCC6F0.1090005@redhat.com> <47CD65A3.8020204@redhat.com>
	<1204654248.12783.32.camel@vespa.frost.loc>
	<200803041356.19571.sgrubb@redhat.com>  <47CDB116.7010007@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from [10.32.4.12] (vpn-4-12.str.redhat.com [10.32.4.12])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m24KaYUN017504
	for <linux-audit@redhat.com>; Tue, 4 Mar 2008 15:36:35 -0500
In-Reply-To: <47CDB116.7010007@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2008-03-04 at 15:29 -0500, John Dennis wrote:
> Steve Grubb wrote:
> >  If there's no agreement with them, should we change anything? 
> > auparse is working pretty good as is.
> 
> No it's not. The auparse approach is based on tables, tables which have 
> been shown to be incorrect and tied to kernel versions and the patch set 
> used to build that kernel version. Like it or not, audit data is and 
> will be divorced from kernel versions. In fact audit data will derive 
> from a mix of different kernel versions if the audit data is aggregated, 
> which is the plan. In the current scheme there is no realistic way to 
> process audit data from thousands of nodes all running different kernels 
> in an enterprise wide auditing system.
> 
> Any scheme which requires knowing the kernel version and patch set to 
> correctly read the data is broken. Attempts to cast this issue as 
> pandering to userspace weenies is off the mark by a mile.
But even if the messages were parsable into a tree regardless of kernel
version, for semantic understanding of the messages you'll still have to
know which kernel generated them unless the semantics is set in stone
for all possible messages.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb