should I loose audit data if I only care about the record's fields?
Steve Grubb
sgrubb at redhat.com
Wed Nov 14 16:18:00 UTC 2007
On Wednesday 14 November 2007 10:24:46 klausk at br.ibm.com wrote:
> It seems like a field value cannot contain any spaces,
Correct. I've mentioned that many times in different code reviews. You can add
data to the field for human use, but it won't be associated with the field's
value directly.
> so the 'operation' specified by usermod should be something like
> 'op=adding-supplemental-group-to-user new_group=sys acct=klausk'.
Yes, if all that text is needed. Sometimes, though, a new record type should
be created to carry the meaning.
> But then again we have another issue: it's up to the application to choose
> the operation name, the field name and what it means - or if there is any
> field at all! This many degrees of freedom may mean hell to people who
> actually are trying to extract information from these records.
Exactly. The audit fields are a gentlemen's agreement. This is why I've added
specific audit logging functions is to try to enforce some kind of
reasonableness to it. But, there are still fields that could get filled in
with spaces and make the parser not get it all.
> Standard formats, standard fields names with well-known meanings would
> certainly help.
That is what I've been trying to do with the audit logging functions. Some
people have complained about it. I guess they wanted freedom. But the logging
functions are the only way to guarantee that certain necessary fields get
recorded. I can't really do much about the content that gets recorded within
a field...
-Steve
More information about the Linux-audit
mailing list