From mboxrd@z Thu Jan 1 00:00:00 1970 From: Casey Schaufler Subject: Re: Using the audit system for non-security events Date: Wed, 28 May 2008 14:24:45 -0700 (PDT) Message-ID: <220918.83070.qm@web36606.mail.mud.yahoo.com> References: <1212008434.30699.6.camel@klausk.br.ibm.com> Reply-To: casey@schaufler-ca.com Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4SLP8n3003370 for ; Wed, 28 May 2008 17:25:09 -0400 Received: from web36606.mail.mud.yahoo.com (web36606.mail.mud.yahoo.com [209.191.85.23]) by mx3.redhat.com (8.13.8/8.13.8) with SMTP id m4SLOuhT027032 for ; Wed, 28 May 2008 17:24:56 -0400 In-Reply-To: <1212008434.30699.6.camel@klausk.br.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Klaus Heinrich Kiwi , Eric Paris Cc: linux-audit@redhat.com, dwmw2@redhat.com, harald@redhat.com List-Id: linux-audit@redhat.com --- Klaus Heinrich Kiwi wrote: > On Tue, 2008-05-27 at 14:08 -0400, Eric Paris wrote: > > I want thoughts on such a proposal. Obviously I'm going to ahve to > > put > > some real thought/care into how to handle 'overlapping' rules between > > security and non-security and stuff like that, but as a general idea > > what do people think? In theory I'm behind this 100%. > At the risk of sounding like "we should take over the world", I think i= t > actually should be a good thing to have more users relying on the audit > subsystem, so I liked the idea. In practice, we tried this very thing in a Unix system (that you can still buy, but not for too much longer). We convinced the people implementing advanced resource accounting to do so by adding audit record types with the information they required. Simple, clean, saved them about a year on their development time. Of course, just before the feature was to be released some joker came along and insisted that the "overhead" of including audit "just to do accounting" was ruinous. They threw away that implementation and did a new infrastructure from scratch that was slow, buggy, and consumed far more resources than the audit based implementation, but that didn't meet their requirements. Needless to say, the original audit based implementation was blamed for these problems. My practical advice is to discourage the use of the audit system for anything except security audit trails. People who don't do security tend to have a hard time dealing with the reliability and data rate requirements that drive the design of an audit system, and will fix* critical audit system behaviors to better suit other needs. > Previously, on this same mailing list, we once discussed about using > fields to route records across different systems. Perhaps it's time for > us to have a real look at a more generic solution for this? (Not that > I'm against adding another field, but since record routing is necessary > for several reasons, wouldn't it be desirable to have the right > infrastructure in place to handle those, say, in auditctl?) ---- * fix - in the veterenary sense of the word. Casey Schaufler casey@schaufler-ca.com