On Fri, Oct 05, 2007 at 11:11:27AM -0400, Eric Paris wrote:
My belief is that the solution to this problem is to allow audit to
break individual arguments down to a size <8k. I guess my syntax would
be something like
a0[0]=(first 8k of a single huge argument)
a0[1]=(second 8k of a single huge argument)
[...]
who has a problem with that syntax? will userspace puke?
I'm a bit worried about special audit record formats that aren't
generally seen in normal operation, since that's an obstacle to
testability. The ASCII audit format encourages an ad-hoc parsing
approach, and it's likely that tools other than the shipped ones won't be
able to handle this and will break unexpectedly, possibly offering
avenues to hide events with unusual records. (I know that people are
supposed to use the parsing library, but they aren't being forced to.)
Would there be a clean way to handle this kind of reassembly in auditd to
ensure that the on-disk record will continue to be in the currently
documented format? Or is there a way to strongly encourage people to keep
their hands off the raw audit logs and use documented interfaces that
take care of the conversions?
-Klaus