From: John Dennis <jdennis@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: William Kelly <wkelly@rackspace.com>,
linux-audit@redhat.com, Bret Piatt <bret.piatt@rackspace.com>
Subject: Re: get_field_str() and interpret_field() bug with multi-word fields
Date: Tue, 12 Aug 2008 18:37:36 -0400 [thread overview]
Message-ID: <48A210B0.1020404@redhat.com> (raw)
In-Reply-To: <200808121724.09725.sgrubb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 2339 bytes --]
Steve Grubb wrote:
> On Tuesday 12 August 2008 17:09:18 John Dennis wrote:
>
>> The fact you can have any combination of kernel, user code, and
>> historical log files is precisely why this need to be fixed ASAP. Why?
>> Because there is no value in being backwards compatible with a data
>> stream you can't read when any of the three components (kernel, user
>> libraries, files) are permuted.
>>
>
> John, you are very wrong here.
I respectfully disagree.
> We are about to role out remote logging for the
> audit system. ... So, in the future you will likely have a RHEL6 machine aggregating RHEL5
> machines.
This is exactly the problem I trying to avoid. Once the log data is
divorced from the user space tools necessary to correctly parse it there
are going to be enormous problems.
Let me be clear, I'm worried about the scenario where an audit log file
was archived from some random system in MegaCorp, then many years later
an auditor investigating MegaCorp decides that log file has critical
information in it. Is MegaCorp going to be able to satisfy the
regulatory requirements to correctly extract the audit data when the
sys-admin who set up the logging left the company years ago, the
information about the system has since been lost, the system has since
been re-installed with a new OS, and no one bothered to archive the
matching version of auparse with the log file?
Don't forget, many auditing regulations require the raw log data to be
preserved, not an interpreted version of the log data. This means one
cannot just run auparse over the file to re-format it prior to archiving
it unless one is willing to store two copies, the raw file and an
interpreted version. People don't want to store two versions of data for
obvious reasons. They want to store the raw data and correctly read it
at any point in the future with one tool. The current scheme does not
satisfy those requirements, nor is it scalable.
I believe it's an absolute requirement that audit log files can be
correctly parsed independent of any external information.
> They will not be happy if they find that they have to upgrade all
> the machines just to do reports. There's no way I'm going to tell people we
> are cutting you off, you have to upgrade.
>
> -Steve
>
--
John Dennis <jdennis@redhat.com>
[-- Attachment #1.2: Type: text/html, Size: 3187 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2008-08-12 22:37 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-12 17:49 get_field_str() and interpret_field() bug with multi-word fields Jonathan Kelly
2008-08-12 18:05 ` LC Bruzenak
2008-08-12 18:52 ` John Dennis
2008-08-12 19:02 ` LC Bruzenak
2008-08-12 18:16 ` John Dennis
2008-08-12 21:13 ` Steve Grubb
2008-08-12 22:10 ` Matthew Booth
2008-08-12 23:01 ` Eric Paris
2008-08-12 19:16 ` Steve Grubb
2008-08-12 19:58 ` John Dennis
2008-08-12 20:11 ` Eric Paris
2008-08-12 20:32 ` Steve Grubb
2008-08-12 21:09 ` John Dennis
2008-08-12 21:24 ` Steve Grubb
2008-08-12 22:37 ` John Dennis [this message]
2008-08-13 0:33 ` Klaus Heinrich Kiwi
2008-08-13 15:09 ` Eric Paris
2008-08-13 16:25 ` Klaus Heinrich Kiwi
2008-08-13 17:02 ` Steve Grubb
2008-08-13 17:30 ` LC Bruzenak
2008-08-13 18:49 ` Linda Knippers
2008-08-13 19:58 ` John Dennis
2008-08-14 18:25 ` Stephen Smalley
2008-08-15 13:58 ` Matteo Michelini
2008-08-15 14:10 ` Steve Grubb
2008-08-15 15:27 ` Matteo Michelini
2008-08-15 14:15 ` Stephen Smalley
2008-08-13 16:29 ` John Dennis
2008-08-13 22:35 ` Casey Schaufler
2008-08-12 20:57 ` John Dennis
2008-08-12 21:18 ` Steve Grubb
2008-08-12 21:40 ` John Dennis
2008-08-12 21:53 ` Steve Grubb
2008-08-12 22:11 ` John Dennis
2008-08-12 22:46 ` Steve Grubb
2008-08-12 22:59 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2008-08-13 16:57 Jonathan Kelly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48A210B0.1020404@redhat.com \
--to=jdennis@redhat.com \
--cc=bret.piatt@rackspace.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
--cc=wkelly@rackspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox