missing avc message field names
Casey Schaufler
casey at schaufler-ca.com
Tue Jan 30 18:45:20 UTC 2007
--- Joshua Brindle <jbrindle at tresys.com> wrote:
> This is fairly off topic here (selinux list) but I
> agree with Karl. As a
> recovering admin I think I can say that admins
> expect to be able to use
> various unix utilities to inspect log files,
> particularly tail -f. While
> I'm all for applications putting their data in
> private data formats and
> using tools and libraries to inspect them I think it
> is generally
> considered that everything in /var/log is fair game
> to inspect with
> anything available on systems (including perl,
> python, sed, awk, tail,
> grep, etc).
>
> You will certainly be rubbing most admins the wrong
> way by forcing them
> through a different interface that won't support
> some common commands
> like tail -f.
>
> There are probably hundreds of utilities that look
> through these files
> as well, what is going to happen when people try to
> add audit.log to a
> log watcher that emails logs to them? Huge binary
> dumps in email are
> going to make people turn off the audit daemon, not
> modify their apps to
> use different tools/libraries.
Based on the Unix experience I find myself
agreeing with this assessment. Binary (or
compressed) audit logs don't get read very
often. A mechanism like audit_filters(5) from
Irix makes the problem more manageable, but
the truth is that humans like their information
human readable. Disk space used to be a major
problem, and I/O bandwidth still is (you can
overwhelm any system with too much audit no
matter how optimal your audit data) but the
cost of translation-on-read is going to stop
most humans from ever doing it.
Casey Schaufler
casey at schaufler-ca.com
More information about the Linux-audit
mailing list