Re: New draft standards

On Tue, 08 Dec 2015 19:28:22 -0500 Paul Moore <paul(a)paul-moore.com&gt; wrote: > Okay, let's not call these "standards" and just stick with > "specifications". The term standards has all sorts of connotations > associated with it, both good and bad, and I think we should be clear > when we start talking with other developers. I think it would also > be *very* helpful if you could explain the motivation behind these > specs so we understand what problems you are trying to solve and what > requirements you are trying to meet; you talk about this a bit in the > conclusion, but more background would be nice. > > Another nit-picky comment, in the future I would suggest sending the > specs inline in your mail; I think it was updated 6 times between my email and your's. :-) The link means you review a doc that already is fixed in a number of ways before your info.

> Anyway, on to your docs ... > > * https://people.redhat.com/sgrubb/audit/system-lifecycle.txt > > > System Lifecycle Auditing > > ========================= > > This document will go over the events that are associated with > > starting up a system and shutting it down. Knowing what events make > > up these actions allows an analytical application to know the > > boundaries of all sessions and actions a user may perform. It also > > allows identification of crashed systems or malfunctioning > > services. The following table lists the events that make up the > > system lifecycle in the audit trail: > > > > AUDIT_SYSTEM_BOOT - System boot > > AUDIT_SYSTEM_RUNLEVEL - System runlevel change > > AUDIT_DAEMON_START - Audit daemon startup record > > AUDIT_DAEMON_ABORT - Audit daemon error stop record > > AUDIT_SERVICE_START - Service (daemon) start > > AUDIT_SERVICE_STOP - Service (daemon) stop > > AUDIT_SYSTEM_SHUTDOWN - System shutdown > > AUDIT_DAEMON_END - Audit daemon normal stop record > > Why both an AUDIT_DAEMON_ABORT and an AUDIT_DAEMON_END and not just > an AUDIT_DAEMON_STOP with a field to indicate if it was a normal > shutdown or a failure as outlined in the spec? This is documenting historical behavior that has not changed. Originally, the event type held more weight about what was happening to the system. I think there's a few more details for this particular event, but that is the main reason.

> > Audit Event Enrichment > > ====================== > > > > There are times when the audit events are stored in another machine > > and need to be searched at a later date. Some parts of the audit > > event are temporally limited in duration or unique to a system. > > This makes interpretting fields that are numbers into human > > readable fields hard or impossible without running a report at the > > time of the event or on the machine the event occurred on. > > > > To address this issue, the audit daemon will get a new mode, > > enrich, where the audit trail will be amended as follows at the > > time an event is logged: > > > > 1) Translations will be: > > a) appended to the end of the event with the field's name in > > > > capital letters > > Please no, let's leave field names case insensitive, perhaps an > agreed upon suffix, e.g. "-trans"? This is solving multiple issues. Grep auid would also hit auid-trans.

Also, there are a number of strstr in various bits of code.

So, changing to upper case blocks all lower case searches using case sensitive constructs.