Re: Cooked audit log format

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Matthew Booth <mbooth@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Cooked audit log format
Date: Mon, 12 May 2008 11:19:46 -0400	[thread overview]
Message-ID: <200805121119.46856.sgrubb@redhat.com> (raw)
In-Reply-To: <48285C0C.5070809@redhat.com>

On Monday 12 May 2008 11:02:36 Matthew Booth wrote:
> Steve Grubb wrote:
> >> Simple starters would include:
> >> * Translating the architecture and syscall names into human.
> >
> > libauparse, ausearch, & ausyscall can do this.
> >
> >> * Jumping one way or the other with the hex strings business
> >
> > not sure what you mean by this. ausearch, aureport, & libauparse can
> > handle them.
>
> Strings should be either always hex encoded, or always escaped
> (preferably the latter).

The issue that always dominates any thinking about the audit system is how to 
save diskspace. So, whenever a string has no naughty characters, we let it go 
as is. If the string contains something that will confuse the parser or do 
other bad things, we encode the string such that the parser cannot be 
confused. But we only do that on demand because the majority of strings are 
well-behaved.

> >> * Translating timestamps into human.
> >
> > libauparse, ausearch, and aureport all do this.
>
> No doubt, but I'm interested in a general agreement around the output,

Sure, if someone that does auditing steps forward and wants to help define a 
standard, we can code something up. That has been the whole issue all this 
time. 

-Steve

next prev parent reply	other threads:[~2008-05-12 15:19 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-11 21:40 Cooked audit log format Matthew Booth
2008-05-12 14:43 ` Steve Grubb
2008-05-12 15:02   ` Matthew Booth
2008-05-12 15:19     ` Steve Grubb [this message]
2008-05-12 15:50       ` LC Bruzenak
2008-05-12 16:09         ` Miloslav Trmač
2008-05-12 16:34           ` Steve Grubb
2008-05-12 16:44             ` LC Bruzenak
2008-05-12 16:53         ` Matthew Booth
2008-05-12 16:12       ` John Dennis
2008-05-12 20:56         ` Eric Paris
2008-05-13 12:30           ` John Dennis
2008-05-15 10:28       ` Tony Jones
2008-05-15 12:44         ` Steve Grubb
2008-05-15 15:59           ` John Dennis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200805121119.46856.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=mbooth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox