From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Date: Wed, 22 Oct 2014 15:34:24 -0500 Message-ID: <544814D0.6090709@magitekltd.com> References: <30ef5c1ba42b52953e5684a0322975c3f0fadc77.1412706089.git.rgb@redhat.com> <5825121.QQHNuuEBO9@sifl> <6013946.Aa2tVyN0OT@x2> <1438858.gaYjDkNvLv@sifl> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8975487519844363425==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9MKYS6n031902 for ; Wed, 22 Oct 2014 16:34:28 -0400 Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9MKYQxo012328 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Wed, 22 Oct 2014 16:34:27 -0400 Received: by mail-oi0-f53.google.com with SMTP id v63so3312531oia.26 for ; Wed, 22 Oct 2014 13:34:26 -0700 (PDT) Received: from [192.168.31.226] (65-36-126-38.dyn.grandenetworks.net. [65.36.126.38]) by mx.google.com with ESMTPSA id l4sm6810781obu.16.2014.10.22.13.34.24 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Oct 2014 13:34:25 -0700 (PDT) In-Reply-To: <1438858.gaYjDkNvLv@sifl> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a cryptographically signed message in MIME format. --===============8975487519844363425== Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060308000709040409010401" This is a cryptographically signed message in MIME format. --------------ms060308000709040409010401 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/22/2014 03:06 PM, Paul Moore wrote: >> > But it illustrates the point. There are tools that depend on an orde= ring and >> > format. There are more programs that just ausearch that needs to be >> > considered if the fields change. For example, Someone could do thing= s like >> > this: >> >=20 >> > retval =3D auparse_find_field(au, "auid"); >> > retval =3D auparse_next_field(au); >> > retval =3D auparse_next_field(au); >> > retval =3D auparse_find_field(au, res"); >> >=20 >> > Where, if the field ordering can't be guaranteed, the code becomes: >> >=20 >> > retval =3D auparse_find_field(au, "auid"); >> > retval =3D auparse_first_field(au); >> > retval =3D auparse_find_field(au, "pid"); >> > retval =3D auparse_first_field(au); >> > retval =3D auparse_find_field(au, "uid"); >> > retval =3D auparse_first_field(au); >> > retval =3D auparse_find_field(au, res"); > In my mind the latter code is more robust and preferable. > OK; I swear if you change this I'm going to parse EVERY field straight into a SQLite file first, since I'd have to go change code anyway. :-) I have code which is based on the examples, from years back, which believe there is order. It can be changed if needed; rather not but could= =2E I suspect there are others... LCB --=20 LC (Lenny) Bruzenak lenny@magitekltd.com --------------ms060308000709040409010401 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEZDCC BGAwggNIoAMCAQICEwZQV0xKmXg6VpNOYV4AVY8RbPYwDQYJKoZIhvcNAQEFBQAwgYIxCzAJ BgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hS YW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRp ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDgxNDA5NTMyMFoXDTE1MDgxNDE1NTMyMFowcTEd MBsGA1UEAwwUbGVubnlAbWFnaXRla2x0ZC5jb20xDjAMBgNVBAoMBXNtaW1lMQ4wDAYDVQQI DAVzbWltZTELMAkGA1UEBhMCVVMxIzAhBgkqhkiG9w0BCQEWFGxlbm55QG1hZ2l0ZWtsdGQu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk/YzpnShgUImRJTL/rtYoP4 rP3rR9A45kty5KcQ+xaq7B2M/irmosxQ96hg1LcJrh9LEG9gmAjiQK32QT9hAND47Frag3+6 4txUSuiW4Wh1Q96avqg30hC0oZvylAyaqx1DRGw1jv3UVMyBOMWG7boxWOOPqIvBK6NaQGDD j74tfb+MyjRGLpUq6IUzVhMiHX1pRXSlprS0jH0rSQQrGZIGnqRT2+LlhbU6jYcBLS7dsS38 gHaKhs5hgSsFIT0hmHvF7EqKLIpeqA4sRCdtHUrjCjRXTo4G0SYcPSHJegR9UADWWsyXaK2l VMQG/yvczd/EcrJFaeTZTxQGzBInmwIDAQABo4HeMIHbMAsGA1UdDwQEAwIFoDATBgNVHSUE DDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUbdNQFOkqZZpvYP3Og5yjTF5MKi4wHwYDVR0jBBgw FoAUxk+iPQZjhAmczmLkBKyNXLXpthswQwYDVR0gBDwwOjA4BgpghkgBhv1kAgIBMCowKAYI KwYBBQUHAgEWHGh0dHBzOi8vc3NsLnRydXN0d2F2ZS5jb20vQ0EwMgYDVR0fBCswKTAnoCWg I4YhaHR0cDovL2NybC50cnVzdHdhdmUuY29tL1hHQ0EuY3JsMA0GCSqGSIb3DQEBBQUAA4IB AQA4p5zP1UtMZrLRslU6wXrprLWT3Rw4yeYYnayveaKb/MN9iKI95gQeAlObmSk00GU3EngH Y3EscFOYfQY9rkZCqSFSx+gc04FFBxFDrjs28McrD6MIcuFcRYLxri0QXMZ5yrkCw1sHwZHp 6R0/CvVcz7RvHREM108BAs/0SccZoTh2z9Py6IZcr+Ye3KsYpyET3Zu8Lw2VV7z24DntjMN6 3GC3pnbrLxadzxdAk5AkWo23FsNQElSJaG9PqoKV8blk1XI8dVQAtD7YBGI40sCW7VaYPZ0G tYdyGROQWMAN6gj1pUt9oeIlLbaobvq8u5Gahhc+cwMWNycKSyOQWf8eMYID7zCCA+sCAQEw gZowgYIxCzAJBgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAi BgNVBAoTG1hSYW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xv YmFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMGUFdMSpl4OlaTTmFeAFWPEWz2MAkGBSsO AwIaBQCgggIpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0 MTAyMjIwMzQyNFowIwYJKoZIhvcNAQkEMRYEFMHqBu6m58NsAzun5+JvSWhgkhLZMGwGCSqG SIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggq hkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgasG CSsGAQQBgjcQBDGBnTCBmjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNl Y3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYD VQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEwZQV0xKmXg6VpNO YV4AVY8RbPYwga0GCyqGSIb3DQEJEAILMYGdoIGaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UE CxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2 aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eQITBlBXTEqZeDpWk05hXgBVjxFs9jANBgkqhkiG9w0BAQEFAASCAQCO/vllY2vAn90xC2Qx 5jxOvmYNf7pDsSmRgY30lHFsT0ZF3n4kLJx4iK9Zp/bKoCABQSk/88lYXbIg+8jeKsKpQJNB PojkUVxpZpS0eU4iEj/5+nGs23rm17eE4bgXizddspGjETFdPXn3adHHV4fwj/9lHNQancOz Oo84PszQtPrG5RNmHDGNm2YfrlMijlU13m085QN3EJy3WIV3oShBdIBEVfSnw2c1nGt/7AAO /sEC8c44RmOxDSGU88T3XZWUMC8+llwMQc97EqMob9rVfBKxAzcR+9Rq9h5MTE5se/+4ULnY mHBsSY5g+di/FIbRFvMbCNNCHPkzbP/W06qaAAAAAAAA --------------ms060308000709040409010401-- --===============8975487519844363425== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8975487519844363425==--