Using the audit system for non-security events

Casey Schaufler rancidfat at yahoo.com
Wed May 28 21:24:45 UTC 2008 

--- Klaus Heinrich Kiwi <klausk at linux.vnet.ibm.com> wrote:

> On Tue, 2008-05-27 at 14:08 -0400, Eric Paris wrote:
> > I want thoughts on such a proposal.  Obviously I'm going to ahve to
> > put
> > some real thought/care into how to handle 'overlapping' rules between
> > security and non-security and stuff like that, but as a general idea
> > what do people think?

In theory I'm behind this 100%.

> At the risk of sounding like "we should take over the world", I think it
> actually should be a good thing to have more users relying on the audit
> subsystem, so I liked the idea.

In practice, we tried this very thing in a Unix system (that you
can still buy, but not for too much longer). We convinced the people
implementing advanced resource accounting to do so by adding audit
record types with the information they required. Simple, clean,
saved them about a year on their development time.

Of course, just before the feature was to be released some joker
came along and insisted that the "overhead" of including audit "just
to do accounting" was ruinous. They threw away that implementation
and did a new infrastructure from scratch that was slow, buggy, and
consumed far more resources than the audit based implementation,
but that didn't meet their requirements. Needless to say, the original
audit based implementation was blamed for these problems.

My practical advice is to discourage the use of the audit system
for anything except security audit trails. People who don't do
security tend to have a hard time dealing with the reliability
and data rate requirements that drive the design of an audit
system, and will fix* critical audit system behaviors to better
suit other needs.

> Previously, on this same mailing list, we once discussed about using
> fields to route records across different systems. Perhaps it's time for
> us to have a real look at a more generic solution for this? (Not that
> I'm against adding another field, but since record routing is necessary
> for several reasons, wouldn't it be desirable to have the right
> infrastructure in place to handle those, say, in auditctl?)

----
* fix - in the veterenary sense of the word.


Casey Schaufler
casey at schaufler-ca.com

More information about the Linux-audit mailing list