On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote: > #3 - modify the standard auparse() test code. And this patch is applied. Thanks, Burn, for all the patches! This will make analytical programs much more accurate since interlaced records won't split an event up any more. If anyone wants to try out the new audit code from svn please send any feedback asap. (Same with other bug reports.) I am aiming for a release in the next 2 days. I just have to finish working on Richard's audit by process name patch and then its time to release a new package. -Steve

On Friday, January 08, 2016 10:05:13 AM Burn Alting wrote: > Steve, > > Can I suggest you modify src/ausearch-lol.c:check_events() to add in the > AUDIT_PROCTITLE check (will reduce memory overhead as events will be > flushed faster). OK. Good suggestion. The SVN repo has been updated. > Also can we ask Richard put a comment into the appropriate location in > the kernel code to indicate the link between ausearch/aurport/auparse > depending on AUDIT_PROCTITLE being the last record of an event if > present. I'll let them answer.

That said one of the things I want to add in the next development cycle is the ability to get rid of proctitle records if the admin wants to. They waste a lot of space. But if they are missing then we have the same performance as we did before I added this patch.

> On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote: > > On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote: > > > #3 - modify the standard auparse() test code. > > > > And this patch is applied. Thanks, Burn, for all the patches! This will > > make analytical programs much more accurate since interlaced records > > won't split an event up any more. > > > > If anyone wants to try out the new audit code from svn please send any > > feedback asap. (Same with other bug reports.) I am aiming for a release in > > the next 2 days. I just have to finish working on Richard's audit by > > process name patch and then its time to release a new package.

On Thu, 2016-01-07 at 22:06 -0500, Paul Moore wrote: > On January 7, 2016 6:47:02 PM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > > > On Friday, January 08, 2016 10:05:13 AM Burn Alting wrote: > >> Steve, > >> > >> Can I suggest you modify src/ausearch-lol.c:check_events() to add in the > >> AUDIT_PROCTITLE check (will reduce memory overhead as events will be > >> flushed faster). > > > > OK. Good suggestion. The SVN repo has been updated. > > > > > >> Also can we ask Richard put a comment into the appropriate location in > >> the kernel code to indicate the link between ausearch/aurport/auparse > >> depending on AUDIT_PROCTITLE being the last record of an event if > >> present. > > > > I'll let them answer. > > Good thing I happened to read this message, I had stopped reading this > thread... > > I really dislike comment only patches and I really, really dislike the > fixed format fields/records/etc. that permeates so much of audit these > days. I'll reserve final judgement for if/when any patches are posted, but > just to be clear, I'm not very excited about stuff like this. This is just a request to the kernel audit team, to note that the user level audit capability is making use of the AUDIT_PROCTITLE record to be an end of event marker. If you believe this is an unacceptable risk for downstream processing, then we can take this out and hence withdraw the request. The alternative is to maintain status quo, and/or optionally emit the AUDIT_EOE record into the stored audit and be done with it, and accept the storage cost.

I wholeheartedly agree about the challenges we have with respect to the current format of the audit events emitted by the kernel. I spend a lot of effort converting the unstructured, sometimes inconsistently displayed events into more structured data. I believe the way forward is to define a more correct, efficient AND extensible output form for the kernel. On the user space side, we assist the existing consumers of our audit data (our customers so to speak) by providing a legacy audispd plugin to take the 'refined' data and format it into the current 'mash-up'. To assist this interim measure/plugin, and state that is IS interim, when converting the kernel code to emit a record, ensure our new method can record the old/legacy format in some way. The legacy formatting should be able to be compiled out.