From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Cooked audit log format Date: Mon, 12 May 2008 11:19:46 -0400 Message-ID: <200805121119.46856.sgrubb@redhat.com> References: <482767E0.10506@redhat.com> <200805121043.17906.sgrubb@redhat.com> <48285C0C.5070809@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <48285C0C.5070809@redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Matthew Booth Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday 12 May 2008 11:02:36 Matthew Booth wrote: > Steve Grubb wrote: > >> Simple starters would include: > >> * Translating the architecture and syscall names into human. > > > > libauparse, ausearch, & ausyscall can do this. > > > >> * Jumping one way or the other with the hex strings business > > > > not sure what you mean by this. ausearch, aureport, & libauparse can > > handle them. > > Strings should be either always hex encoded, or always escaped > (preferably the latter). The issue that always dominates any thinking about the audit system is how to save diskspace. So, whenever a string has no naughty characters, we let it go as is. If the string contains something that will confuse the parser or do other bad things, we encode the string such that the parser cannot be confused. But we only do that on demand because the majority of strings are well-behaved. > >> * Translating timestamps into human. > > > > libauparse, ausearch, and aureport all do this. > > No doubt, but I'm interested in a general agreement around the output, Sure, if someone that does auditing steps forward and wants to help define a standard, we can code something up. That has been the whole issue all this time. -Steve