[RFC][PATCH] audit: log join and part events to the read-only multicast log socket

Paul Moore pmoore at redhat.com
Sat Oct 11 20:00:30 UTC 2014 

On Saturday, October 11, 2014 11:42:06 AM Steve Grubb wrote:
> On Tue, 07 Oct 2014 18:06:51 -0400
> 
> Paul Moore <pmoore at redhat.com> wrote:
> > On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
> > > I also thought of moving audit_log_task() from auditsc.c to audit.c
> > > and using that.  For that matter, both audit_log_task() and
> > > audit_log_task_info() could use audit_log_session_info(), but they
> > > are in slightly different order of keywords which will upset
> > > sgrubb's parser.
> > 
> > A bit of an aside from the patch, but in my opinion the parser should
> > be made a bit more robust so that it can handle fields in any
> > particular order.  I agree that having fields in a "canonical
> > ordering" is helpful, both for tools and people, but the tools
> > shouldn't require it in my opinion.
> > 
> > Steve, why exactly can't the userspace parser handle fields in any
> > order?  How difficult would it be to fix?
> 
> The issue is that people that really use audit, really get vast
> quanities of logs. The tools expect things in a specific order so that
> it can pick things out of events as quickly as possible. IOW, it
> knows when it can discard the line because its grabbed everything it
> needs. A casual audit user would never see this. I'm really optimizing
> for the people whose use ausearch and it takes 10 minutes to run.

I understand you are catering to the "power user" here, but I don't see that 
as an excuse for not being able to parse well formed name/value audit record 
string if the order isn't exactly what you expect.  I believe this will only 
become more and more of a problem as things move forward.  I think this is 
something we need to fix soon.

Steve, would you be willing to fix the audit userspace parser so it can handle 
fields in an arbitrary order?  If not, would you be willing to accept patches 
for the userspace that would accomplish this?

-- 
paul moore
security and virtualization @ redhat

More information about the Linux-audit mailing list