Re: Audit log Fields - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, burn@swtf.dyndns.org
Cc: Sowndarya K <sowndaryak18@gmail.com>
Subject: Re: Audit log Fields
Date: Fri, 12 Feb 2016 14:04:26 -0500	[thread overview]
Message-ID: <4411457.g1FoyMUnPs@x2> (raw)
In-Reply-To: <1455196014.28800.61.camel@swtf.swtf.dyndns.org>

On Friday, February 12, 2016 12:06:54 AM Burn Alting wrote:
> Steve,
> 
> Perhaps we could update the above document to advise users what they
> should offer in such a proposal.

Good point. Usually they come to the list and say I am working on a daemon 
that needs to write something to the audit log whenever this kind of thing 
happens. How should I record it.

This leads to a better conversation because not everything is a candidate for 
the audit logs. That doesn't mean it doesn't need to be recorded, it just 
means it needs to go somewhere else.

For example, tcp_wrappers can reject connections. Should that go into audit 
logs automatically? No way. Same with web application access control. These 
are important enough to be logged, but they belong in an application log.

> Perhaps further, we could offer a generic solution on how one could
> define a 'non-public' field name. That is, a 'non-public' field is one
> which could not, via it's nomenclature, conflict with a current or
> future 'public' (aka published) field name. Such non-public fields could
> then be used by capability that only needs the audit source and audit
> consumer to be aware of the field.

That's a good point. I'm pretty sure 'private-' will never be used for a prefix 
to any field. That said, if this is going into an existing event, we really 
need to have a discussion about that. This affects all third party's that try 
to make sense of the audit logs,

-Steve

next prev parent reply	other threads:[~2016-02-12 19:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-11 12:37 Audit log Fields Sowndarya K
2016-02-11 13:06 ` Burn Alting
2016-02-12 19:04   ` Steve Grubb [this message]
2016-02-12 18:57 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4411457.g1FoyMUnPs@x2 \
    --to=sgrubb@redhat.com \
    --cc=burn@swtf.dyndns.org \
    --cc=linux-audit@redhat.com \
    --cc=sowndaryak18@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox