[PATCH] Fix acct quoting in audit_log_acct_message())
John Dennis
jdennis at redhat.com
Tue Mar 4 20:29:10 UTC 2008
Steve Grubb wrote:
> If there's no agreement with them, should we change anything?
> auparse is working pretty good as is.
No it's not. The auparse approach is based on tables, tables which have
been shown to be incorrect and tied to kernel versions and the patch set
used to build that kernel version. Like it or not, audit data is and
will be divorced from kernel versions. In fact audit data will derive
from a mix of different kernel versions if the audit data is aggregated,
which is the plan. In the current scheme there is no realistic way to
process audit data from thousands of nodes all running different kernels
in an enterprise wide auditing system.
Any scheme which requires knowing the kernel version and patch set to
correctly read the data is broken. Attempts to cast this issue as
pandering to userspace weenies is off the mark by a mile.
--
John Dennis <jdennis at redhat.com>
More information about the Linux-audit
mailing list