[PATCH] Fix acct quoting in audit_log_acct_message())

Steve Grubb sgrubb at redhat.com
Tue Mar 4 19:28:57 UTC 2008


On Tuesday 04 March 2008 14:08:47 Miloslav Trmac wrote:
> Steve Grubb napsal(a):
> > On Tuesday 04 March 2008 13:10:48 Tomas Mraz wrote:
> > This is basically the parsing rules: The header was defined a long time
> > ago, It parses in its own way, once we hit msg=, everything is
> > name=value. We do this by repeatedly calling strtok.
>
> These rules discard valuable information in currently defined audit
> records - so either the record format or the parsing rules need to
> change.

Examples? There is going to be 2 types of problems you find, real bugs that 
should be fixed. And ancillary text that helps people reading the logs from 
vi. The ancillary text can probably be trimmed to help save disk space. Bugs 
I'm all for fixing.


> > The biggest question to me is how you handle any transition from one
> > format to another. It will take time for patches to get upstream and then
> > back downstream. Meanwhile we could have audit logs being aggregated from
> > a couple different releases. They all need to parse correctly. How do we
> > handle that? I suspect the answer is to make the audit parser handle old
> > and new formats which adds a whole lot of code and makes it more
> > complicated.
>
> Not really.  If, to handle the transition, we need to parse the old
> records to the new semantic format (name-value pairs or something else),
> that does indeed add a whole lot of code.   But we need that code even
> if we stay with the old format simply to process the information.

Let's see what you find first as problems and see what we can do. We may be 
able to make a few adjustments in various places that helps everyone. For 
example, I don't mind dropping a lot of punctuation like '():,' this will 
help conserve disk space.

-Steve




More information about the Linux-audit mailing list