From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: use audit_log_task_info in audit_core_dumps and __audit_seccomp Date: Tue, 14 Jan 2014 14:09:57 -0500 Message-ID: <6262430.Li4xMCd4RD@x2> References: <1389668195-25196-1-git-send-email-eparis@redhat.com> <1840642.Kpxqik9TDB@x2> <20140114190726.GE23577@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20140114190726.GE23577@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, January 14, 2014 02:07:26 PM Richard Guy Briggs wrote: > On 14/01/14, Steve Grubb wrote: > > On Monday, January 13, 2014 09:56:35 PM Eric Paris wrote: > > > It seems that reusing the task info pattern throughout records should > > > allow for faster simpler more streamlined userspace records parsing, but > > > changing order like this might be a deal breaker. > > > > Have you tried using the ausearch test suite? I published it so that it > > can be found out what all these patches will do to the stability of user > > space. I'd delete your logs, reboot into test kernel, generate as many > > kind of events as possible, then extract the logs and test with the test > > suite. > > Do you have a script of rules and a script of commands to accomplish the > "generate as many kind of events as possible"? Nope. But its very important to make sure all events are well formed and searchable by existing tools. -Steve