Re: [PATCH] Fix acct quoting in audit_log_acct_message())
On Tuesday 04 March 2008 14:08:47 Miloslav Trmac wrote:
Steve Grubb napsal(a):
> On Tuesday 04 March 2008 13:10:48 Tomas Mraz wrote:
> This is basically the parsing rules: The header was defined a long time
> ago, It parses in its own way, once we hit msg=, everything is
> name=value. We do this by repeatedly calling strtok.
These rules discard valuable information in currently defined audit
records - so either the record format or the parsing rules need to
change.
Examples? There is going to be 2 types of problems you find, real bugs that
should be fixed. And ancillary text that helps people reading the logs from
vi. The ancillary text can probably be trimmed to help save disk space. Bugs
I'm all for fixing.
> The biggest question to me is how you handle any transition from
one
> format to another. It will take time for patches to get upstream and then
> back downstream. Meanwhile we could have audit logs being aggregated from
> a couple different releases. They all need to parse correctly. How do we
> handle that? I suspect the answer is to make the audit parser handle old
> and new formats which adds a whole lot of code and makes it more
> complicated.
Not really. If, to handle the transition, we need to parse the old
records to the new semantic format (name-value pairs or something else),
that does indeed add a whole lot of code. But we need that code even
if we stay with the old format simply to process the information.
Let's see what you find first as problems and see what we can do. We may be
able to make a few adjustments in various places that helps everyone. For
example, I don't mind dropping a lot of punctuation like '():,' this will
help conserve disk space.
-Steve