Re: missing avc message field names

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Karl MacMillan <kmacmillan@mentalrootkit.com>
Cc: linux-audit@redhat.com, selinux@tycho.nsa.gov,
	Steve G <linux_4ever@yahoo.com>
Subject: Re: missing avc message field names
Date: Tue, 30 Jan 2007 12:42:31 -0500	[thread overview]
Message-ID: <200701301242.31909.sgrubb@redhat.com> (raw)
In-Reply-To: <45BF5AE3.6030602@mentalrootkit.com>

On Tuesday 30 January 2007 09:49, Karl MacMillan wrote:
> > You already have that problem. AUDIT_AVC and AUDIT_USER_AVC.
>
> Yes, but adding even more message types makes the problem worse. More
> importantly, what does splitting AVC messages even more accomplish?

It allows users to tune the audit system to the kinds of messages they want to 
keep in their logs, makes analysis of the kinds of problems being reported 
easier, and allows normalization of records for binary use.

> In fact, I would rather that AUDIT_AVC and AUDIT_USER_AVC were not split.

They have to be, ironically, because of SE Linux.  :)

> > Speed and compression. People doing serious auditing have very large
> > files. Compression is extremely important. Also when dealing with large
> > files, any performance trick you can find helps immensely.
>
> gzip or bzip2 compression is not sufficient?

No, its an intermediate solution on the way to a better more difficult 
solution.

> Is audit searching performance the most important consideration?

Storage size is the more important followed by speed. As soon as you allow 
more records, they will have more to search.

> Look, I'm not against binary logs, I'm just trying to point out that I
> think that the transition will not be as easy as you seem to suggest.

No, I'm sure it will be time consuming and done in phases. The first step is 
providing the insulating layer so that apps do not have to care.

> >> The biggest issue, of course, is that it would prevent the use of any
> >> tools that process the files as text (grep, tail, awk, seaudit,
> >> setroubleshoot, etc., etc.).
> >
> > ausearch -m all --raw | grep anything you want
>
> tail -f happens to be my favorite counter example, but I am certain
> there are other useful tricks for monitoring logs that will break.

You can still use this on your system. What will be happening in the audit 
system is that there will be choices as to how the information will be 
stored. Text will still be an option. However, the portable way will be 
ausearch based.

> >> And what about third-party tools that are security critical?
> >
> > They have the TRUSTED_APP message type and they can put anything in that
> > they want. I consider that one completely freestyle.
>
> Why is it acceptable to have arbitrary name/value pairs in that message
> type and not in others?

Because by definition third party means we don't have the source to review or 
fix.

-Steve

next prev parent reply	other threads:[~2007-01-30 17:42 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20070129185542.32977.qmail@web51502.mail.yahoo.com>
2007-01-29 19:22 ` missing avc message field names Eamon Walsh
     [not found]   ` <45BE4971.6090601-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2007-01-29 19:43     ` Karl MacMillan
2007-01-29 20:07       ` Eamon Walsh
2007-01-29 20:56   ` Steve Grubb
2007-01-29 21:16     ` Karl MacMillan
2007-01-29 22:49       ` Steve Grubb
2007-01-29 23:48         ` Eamon Walsh
     [not found]           ` <45BE87E0.5090109-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2007-01-30 12:25             ` Russell Coker
     [not found]         ` <200701291749.21897.sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2007-01-30 14:49           ` Karl MacMillan
2007-01-30 17:06             ` Joshua Brindle
2007-01-30 17:28               ` Valdis.Kletnieks
2007-01-30 18:45               ` Casey Schaufler
2007-01-30 17:42             ` Steve Grubb [this message]
2007-01-30 22:53             ` James Antill
     [not found]               ` <1170197588.3373.28.camel-pBdgC7Q4sO52KDkfy0k2sw@public.gmane.org>
2007-01-31  0:50                 ` Karl MacMillan
2007-01-31  5:29                   ` Joshua Brindle
     [not found]                     ` <45C02948.9090607-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
2007-01-31 22:59                       ` Russell Coker
2007-02-01 11:40                         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200701301242.31909.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=kmacmillan@mentalrootkit.com \
    --cc=linux-audit@redhat.com \
    --cc=linux_4ever@yahoo.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox