Re: Using the audit system for non-security events

--- Klaus Heinrich Kiwi <klausk(a)linux.vnet.ibm.com&gt; wrote: In theory I'm behind this 100%. In practice, we tried this very thing in a Unix system (that you can still buy, but not for too much longer). We convinced the people implementing advanced resource accounting to do so by adding audit record types with the information they required. Simple, clean, saved them about a year on their development time. Of course, just before the feature was to be released some joker came along and insisted that the "overhead" of including audit "just to do accounting" was ruinous. They threw away that implementation and did a new infrastructure from scratch that was slow, buggy, and consumed far more resources than the audit based implementation, but that didn't meet their requirements. Needless to say, the original audit based implementation was blamed for these problems. My practical advice is to discourage the use of the audit system for anything except security audit trails. People who don't do security tend to have a hard time dealing with the reliability and data rate requirements that drive the design of an audit system, and will fix* critical audit system behaviors to better suit other needs. ---- * fix - in the veterenary sense of the word. Casey Schaufler casey(a)schaufler-ca.com