From: Eric Paris <eparis@redhat.com>
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: William Kelly <wkelly@rackspace.com>,
Bret Piatt <bret.piatt@rackspace.com>,
linux-audit@redhat.com
Subject: Re: get_field_str() and interpret_field() bug with multi-word fields
Date: Wed, 13 Aug 2008 11:09:01 -0400 [thread overview]
Message-ID: <1218640141.3540.38.camel@localhost.localdomain> (raw)
In-Reply-To: <1218587598.3437.23.camel@klausk.br.ibm.com.br.ibm.com>
On Tue, 2008-08-12 at 21:33 -0300, Klaus Heinrich Kiwi wrote:
> On Tue, 2008-08-12 at 16:32 -0400, Steve Grubb wrote:
> >
> > And any code created needs to be backwards compatible. you could have new user
> > space/new kernel, or new user space/old kernel, and new kernel/old user
> > space. You have no way of dictating which versions of anything people will
> > use.
>
> But isn't this the exact situation we face now? I remember people asking
> in this list about audit for RHEL4, and in the end the problem was that
> they had their kernel upgraded so userspace and kernel were not in
> sync...
As I recall in the RHEL4 case the problem was the RH was carrying their
own audit patches and so we didn't have to deal with upstream policies.
Look at how strict those upstream policies. It doesn't even matter if
backwards compatibility for BUGS are broken, new kernel + ancient
userspace MUST be able to work somehow.
> I think that if we take this discussion to extremes, we'd be talking
> about a 'self-descriptive meta language' so that upgrades to
> userspace/kernel are well covered (can you say "xml"?)
HAHAHA, kernel output xml? dream on :) I'm willing to do wholesale
output changes, but something that heavy in kernel is impossible to
push. I can just see Al cussing up a storm as he read that.
> On the other hand, I do agree that the way it's currently implemented is
> prone to error when it comes to reporting/analyzing data. e.g., I
> remember fixing a 'mode' field in an audit object where it was being
> displayed as hex where we would expect an octal. In the future, when
> parsing this field, how would I know which radix a mode=003 field is?
> Fundamentally, was the record generated in patched kernel or not? If we
> take this change applied to every kernel and userspace change of the
> audit records, how can auparse possibly cover all cases?
>
> I also feel that stricter message format rules for userspace would help.
> Nowadays is difficult to 'reconstruct' the meaning of an audit record
> just by looking at their fields. Some fields don't even have a value,
> other use the same field twice in the same record. And for most people
> wanting to analyze audit data the fields=value pairs are the only
> reliable source.
I'm all for this, but I still firmly believe that if I am a user of the
audit subsystem and I decide to use my own ugly format that completely
sucks its not audit's fault when it can't parse those things. aka if
you can't use auparse to look at SELinux records, too bad, that's
SELinux's problem to parse them. But everything the audit system
controls could and should be moved to a better standard.
-Eric
next prev parent reply other threads:[~2008-08-13 15:09 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-12 17:49 get_field_str() and interpret_field() bug with multi-word fields Jonathan Kelly
2008-08-12 18:05 ` LC Bruzenak
2008-08-12 18:52 ` John Dennis
2008-08-12 19:02 ` LC Bruzenak
2008-08-12 18:16 ` John Dennis
2008-08-12 21:13 ` Steve Grubb
2008-08-12 22:10 ` Matthew Booth
2008-08-12 23:01 ` Eric Paris
2008-08-12 19:16 ` Steve Grubb
2008-08-12 19:58 ` John Dennis
2008-08-12 20:11 ` Eric Paris
2008-08-12 20:32 ` Steve Grubb
2008-08-12 21:09 ` John Dennis
2008-08-12 21:24 ` Steve Grubb
2008-08-12 22:37 ` John Dennis
2008-08-13 0:33 ` Klaus Heinrich Kiwi
2008-08-13 15:09 ` Eric Paris [this message]
2008-08-13 16:25 ` Klaus Heinrich Kiwi
2008-08-13 17:02 ` Steve Grubb
2008-08-13 17:30 ` LC Bruzenak
2008-08-13 18:49 ` Linda Knippers
2008-08-13 19:58 ` John Dennis
2008-08-14 18:25 ` Stephen Smalley
2008-08-15 13:58 ` Matteo Michelini
2008-08-15 14:10 ` Steve Grubb
2008-08-15 15:27 ` Matteo Michelini
2008-08-15 14:15 ` Stephen Smalley
2008-08-13 16:29 ` John Dennis
2008-08-13 22:35 ` Casey Schaufler
2008-08-12 20:57 ` John Dennis
2008-08-12 21:18 ` Steve Grubb
2008-08-12 21:40 ` John Dennis
2008-08-12 21:53 ` Steve Grubb
2008-08-12 22:11 ` John Dennis
2008-08-12 22:46 ` Steve Grubb
2008-08-12 22:59 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2008-08-13 16:57 Jonathan Kelly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1218640141.3540.38.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=bret.piatt@rackspace.com \
--cc=klausk@linux.vnet.ibm.com \
--cc=linux-audit@redhat.com \
--cc=wkelly@rackspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox