[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: should I loose audit data if I only care about the record's
From:       Steve Grubb <sgrubb () redhat ! com>
Date:       2007-11-14 16:18:00
Message-ID: 200711141118.01035.sgrubb () redhat ! com
[Download RAW message or body]

On Wednesday 14 November 2007 10:24:46 klausk@br.ibm.com wrote:
> It seems like a field value cannot contain any spaces,

Correct. I've mentioned that many times in different code reviews. You can add 
data to the field for human use, but it won't be associated with the field's 
value directly.

> so the 'operation' specified by usermod should be something like
> 'op=adding-supplemental-group-to-user new_group=sys acct=klausk'.

Yes, if all that text is needed. Sometimes, though, a new record type should 
be created to carry the meaning.

> But then again we have another issue: it's up to the application to choose
> the operation name, the field name and what it means - or if there is any
> field at all! This many degrees of freedom may mean hell to people who
> actually are trying to extract information from these records.

Exactly. The audit fields are a gentlemen's agreement. This is why I've added 
specific audit logging functions is to try to enforce some kind of 
reasonableness to it. But, there are still fields that could get filled in 
with spaces and make the parser not get it all.


> Standard formats, standard fields names with well-known meanings would
> certainly help.

That is what I've been trying to do with the audit logging functions. Some 
people have complained about it. I guess they wanted freedom. But the logging 
functions are the only way to guarantee that certain necessary fields get 
recorded. I can't really do much about the content that gets recorded within 
a field...

-Steve

[prev in list] [next in list] [prev in thread] [next in thread]