[RFC][PATCH] audit: log join and part events to the read-only multicast log socket

Paul Moore pmoore at redhat.com
Thu Oct 23 19:15:32 UTC 2014 

On Wednesday, October 22, 2014 05:18:37 PM Steve Grubb wrote:
> On Wednesday, October 22, 2014 05:00:03 PM Paul Moore wrote:
> > On Wednesday, October 22, 2014 04:39:49 PM Steve Grubb wrote:
> > > Except you can have problems when the event is like this
> > > auid= pid= old uid= new uid= res=
> > 
> > I honestly don't see the problem here.
> 
> You'll never get new uid which is really the one you want.

Once again, I honestly don't see the problem here as I think we should be able 
to write a parser to handle this.
 
> > > > I disagree about the priority.  Eric disagrees about the priority.
> > > > Richard hasn't explicitly stated he disagrees with the priority but he
> > > > has  made several comments on this list about ordering being an issue
> > > > (Richard, my apologies if I am putting words in your mouth).
> 
> I thought it was a question of what to put in an event.

It is an issue of code reuse/duplication and how the fixed field ordering is 
turning the kernel code into a mess.

> > > What events do people need to change and why? There's not been any
> > > discussion that I know of saying we need to add fields or change them
> > > around.
> > 
> > See the earlier comments on Richard's patch.
> 
> He's making a new event. Its not changing things around.

See above.

> > > > What would we need to change in the userspace to eliminate the
> > > > reliance on field ordering?
> > > 
> > > Many of the utilities. ausyscall & autrace might be the only ones not
> > > affected.
> > 
> > So we would need to change ausyscall and autrace, possibly others.
> 
> Exactly the opposite, those are about the only ones clean because they are
> the only ones not parsing logs.

Gotcha, I misread that sentence.

> > Do you expect to need any changes to the deamon or audit libraries?
> 
> Not the daemon or library directly for this. But if you want to look into
> this, you'll need some really big logs for testing. You'll need at least
> 100MB to see performance variations. If we can keep performance reasonably
> close, I'd take patches. I know it will be slower.

Define "reasonably close".  Also, do you have any "really big" logs you use 
for testing?

-- 
paul moore
security and virtualization @ redhat

More information about the Linux-audit mailing list