From: Paul Moore <pmoore@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Eric Paris <eparis@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
ebiederm@xmission.com, serge@hallyn.com, keescook@chromium.org
Subject: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket
Date: Sat, 11 Oct 2014 16:00:30 -0400 [thread overview]
Message-ID: <2723550.rc9Q06SjKl@sifl> (raw)
In-Reply-To: <20141011114206.44963cb3@ivy-bridge>
On Saturday, October 11, 2014 11:42:06 AM Steve Grubb wrote:
> On Tue, 07 Oct 2014 18:06:51 -0400
>
> Paul Moore <pmoore@redhat.com> wrote:
> > On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
> > > I also thought of moving audit_log_task() from auditsc.c to audit.c
> > > and using that. For that matter, both audit_log_task() and
> > > audit_log_task_info() could use audit_log_session_info(), but they
> > > are in slightly different order of keywords which will upset
> > > sgrubb's parser.
> >
> > A bit of an aside from the patch, but in my opinion the parser should
> > be made a bit more robust so that it can handle fields in any
> > particular order. I agree that having fields in a "canonical
> > ordering" is helpful, both for tools and people, but the tools
> > shouldn't require it in my opinion.
> >
> > Steve, why exactly can't the userspace parser handle fields in any
> > order? How difficult would it be to fix?
>
> The issue is that people that really use audit, really get vast
> quanities of logs. The tools expect things in a specific order so that
> it can pick things out of events as quickly as possible. IOW, it
> knows when it can discard the line because its grabbed everything it
> needs. A casual audit user would never see this. I'm really optimizing
> for the people whose use ausearch and it takes 10 minutes to run.
I understand you are catering to the "power user" here, but I don't see that
as an excuse for not being able to parse well formed name/value audit record
string if the order isn't exactly what you expect. I believe this will only
become more and more of a problem as things move forward. I think this is
something we need to fix soon.
Steve, would you be willing to fix the audit userspace parser so it can handle
fields in an arbitrary order? If not, would you be willing to accept patches
for the userspace that would accomplish this?
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2014-10-11 20:00 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-07 18:23 [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Richard Guy Briggs
2014-10-07 19:03 ` Eric Paris
2014-10-07 19:39 ` Richard Guy Briggs
2014-10-07 22:06 ` Paul Moore
2014-10-11 15:42 ` Steve Grubb
2014-10-11 20:00 ` Paul Moore [this message]
2014-10-21 16:41 ` Richard Guy Briggs
2014-10-21 19:56 ` Steve Grubb
2014-10-21 21:08 ` Richard Guy Briggs
2014-10-21 21:40 ` Steve Grubb
2014-10-21 22:30 ` Eric Paris
2014-10-21 23:14 ` Paul Moore
2014-10-22 1:18 ` Richard Guy Briggs
2014-10-21 22:30 ` Paul Moore
2014-10-22 1:24 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2723550.rc9Q06SjKl@sifl \
--to=pmoore@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox