missing avc message field names

[Casey Schaufler]

--- Joshua Brindle <jbrindle at tresys.com> wrote:


> This is fairly off topic here (selinux list) but I
> agree with Karl. As a 
> recovering admin I think I can say that admins
> expect to be able to use 
> various unix utilities to inspect log files,
> particularly tail -f. While 
> I'm all for applications putting their data in
> private data formats and 
> using tools and libraries to inspect them I think it
> is generally 
> considered that everything in /var/log is fair game
> to inspect with 
> anything available on systems (including perl,
> python, sed, awk, tail, 
> grep, etc).
> 
> You will certainly be rubbing most admins the wrong
> way by forcing them 
> through a different interface that won't support
> some common commands 
> like tail -f.
> 
> There are probably hundreds of utilities that look
> through these files 
> as well, what is going to happen when people try to
> add audit.log to a 
> log watcher that emails logs to them? Huge binary
> dumps in email are 
> going to make people turn off the audit daemon, not
> modify their apps to 
> use different tools/libraries.

Based on the Unix experience I find myself
agreeing with this assessment. Binary (or
compressed) audit logs don't get read very
often. A mechanism like audit_filters(5) from
Irix makes the problem more manageable, but
the truth is that humans like their information
human readable. Disk space used to be a major
problem, and I/O bandwidth still is (you can
overwhelm any system with too much audit no
matter how optimal your audit data) but the
cost of translation-on-read is going to stop
most humans from ever doing it.


Casey Schaufler
casey at schaufler-ca.com