[PATCH] Fix acct quoting in audit_log_acct_message())
Miloslav Trmac
mitr at redhat.com
Tue Mar 4 19:08:47 UTC 2008
Steve Grubb napsal(a):
> On Tuesday 04 March 2008 13:10:48 Tomas Mraz wrote:
> This is basically the parsing rules: The header was defined a long time ago,
> It parses in its own way, once we hit msg=, everything is name=value. We do
> this by repeatedly calling strtok.
These rules discard valuable information in currently defined audit
records - so either the record format or the parsing rules need to
change. That's unavoidable.
> The biggest question to me is how you handle any transition from one format to
> another. It will take time for patches to get upstream and then back
> downstream. Meanwhile we could have audit logs being aggregated from a couple
> different releases. They all need to parse correctly. How do we handle that?
> I suspect the answer is to make the audit parser handle old and new formats
> which adds a whole lot of code and makes it more complicated.
Not really. If, to handle the transition, we need to parse the old
records to the new semantic format (name-value pairs or something else),
that does indeed add a whole lot of code. But we need that code even
if we stay with the old format simply to process the information.
Once we have the code to translate old records to a new, well-defined
semantic format, modifying the code that generates the records to use a
well-defined textual representation of the new semantic format requires
only trivial (even if extensive) code modifications, and it is
transparent to libauparse users. Applications that don't use libauparse
can be best adapted by porting them to use libauparse; then we can even
port the record-generating code incrementally over time, because the
applications won't be able to tell the difference.
Mirek
More information about the Linux-audit
mailing list