From: John Dennis <jdennis@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Cooked audit log format
Date: Mon, 12 May 2008 12:12:34 -0400 [thread overview]
Message-ID: <48286C72.3020106@redhat.com> (raw)
In-Reply-To: <200805121119.46856.sgrubb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 1358 bytes --]
Steve Grubb wrote:
>> Strings should be either always hex encoded, or always escaped
>> (preferably the latter).
>>
>
> The issue that always dominates any thinking about the audit system is how to
> save diskspace. So, whenever a string has no naughty characters, we let it go
> as is. If the string contains something that will confuse the parser or do
> other bad things, we encode the string such that the parser cannot be
> confused. But we only do that on demand because the majority of strings are
> well-behaved.
>
This is not a true statement, unless the kernel has been patched
recently the handling of strings is seriously broken, a fact which has
been pointed out numerous times. It is also not true that parser cannot
be confused by the string format, also pointed out several times. It
should also be a goal that libraries other than auparse be capable of
parsing audit strings. It should also be a goal that correct parsing of
audit logs not be dependent on specific kernel versions.
The extra bytes in question would likely never exceed .01% of total file
size thus concerns about the extra bytes needed to properly escape a
string hogging disk space should not advanced in 2008 with large disks
and high bandwidth networks, reliable parsing trumps 1970's optimization
concerns.
--
John Dennis <jdennis@redhat.com>
[-- Attachment #1.2: Type: text/html, Size: 1864 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2008-05-12 16:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-11 21:40 Cooked audit log format Matthew Booth
2008-05-12 14:43 ` Steve Grubb
2008-05-12 15:02 ` Matthew Booth
2008-05-12 15:19 ` Steve Grubb
2008-05-12 15:50 ` LC Bruzenak
2008-05-12 16:09 ` Miloslav Trmač
2008-05-12 16:34 ` Steve Grubb
2008-05-12 16:44 ` LC Bruzenak
2008-05-12 16:53 ` Matthew Booth
2008-05-12 16:12 ` John Dennis [this message]
2008-05-12 20:56 ` Eric Paris
2008-05-13 12:30 ` John Dennis
2008-05-15 10:28 ` Tony Jones
2008-05-15 12:44 ` Steve Grubb
2008-05-15 15:59 ` John Dennis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48286C72.3020106@redhat.com \
--to=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox