Re: missing avc message field names
--- Joshua Brindle <jbrindle(a)tresys.com> wrote:
This is fairly off topic here (selinux list) but I
agree with Karl. As a
recovering admin I think I can say that admins
expect to be able to use
various unix utilities to inspect log files,
particularly tail -f. While
I'm all for applications putting their data in
private data formats and
using tools and libraries to inspect them I think it
is generally
considered that everything in /var/log is fair game
to inspect with
anything available on systems (including perl,
python, sed, awk, tail,
grep, etc).
You will certainly be rubbing most admins the wrong
way by forcing them
through a different interface that won't support
some common commands
like tail -f.
There are probably hundreds of utilities that look
through these files
as well, what is going to happen when people try to
add audit.log to a
log watcher that emails logs to them? Huge binary
dumps in email are
going to make people turn off the audit daemon, not
modify their apps to
use different tools/libraries.
Based on the Unix experience I find myself
agreeing with this assessment. Binary (or
compressed) audit logs don't get read very
often. A mechanism like audit_filters(5) from
Irix makes the problem more manageable, but
the truth is that humans like their information
human readable. Disk space used to be a major
problem, and I/O bandwidth still is (you can
overwhelm any system with too much audit no
matter how optimal your audit data) but the
cost of translation-on-read is going to stop
most humans from ever doing it.
Casey Schaufler
casey(a)schaufler-ca.com