Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752662AbaJKPmP (ORCPT ); Sat, 11 Oct 2014 11:42:15 -0400 Received: from mx1.redhat.com ([209.132.183.28]:64393 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752529AbaJKPmM (ORCPT ); Sat, 11 Oct 2014 11:42:12 -0400 Date: Sat, 11 Oct 2014 11:42:06 -0400 From: Steve Grubb To: Paul Moore Cc: Richard Guy Briggs , Eric Paris , linux-audit@redhat.com, linux-kernel@vger.kernel.org, ebiederm@xmission.com, serge@hallyn.com, keescook@chromium.org Subject: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Message-ID: <20141011114206.44963cb3@ivy-bridge> In-Reply-To: <3117997.iSq2b2nm2S@sifl> References: <30ef5c1ba42b52953e5684a0322975c3f0fadc77.1412706089.git.rgb@redhat.com> <1412708594.3333.94.camel@localhost> <20141007193951.GZ1992@madcap2.tricolour.ca> <3117997.iSq2b2nm2S@sifl> Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 07 Oct 2014 18:06:51 -0400 Paul Moore wrote: > On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote: > > I also thought of moving audit_log_task() from auditsc.c to audit.c > > and using that. For that matter, both audit_log_task() and > > audit_log_task_info() could use audit_log_session_info(), but they > > are in slightly different order of keywords which will upset > > sgrubb's parser. > > A bit of an aside from the patch, but in my opinion the parser should > be made a bit more robust so that it can handle fields in any > particular order. I agree that having fields in a "canonical > ordering" is helpful, both for tools and people, but the tools > shouldn't require it in my opinion. > > Steve, why exactly can't the userspace parser handle fields in any > order? How difficult would it be to fix? The issue is that people that really use audit, really get vast quanities of logs. The tools expect things in a specific order so that it can pick things out of events as quickly as possible. IOW, it knows when it can discard the line because its grabbed everything it needs. A casual audit user would never see this. I'm really optimizing for the people whose use ausearch and it takes 10 minutes to run. -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/