Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1924195imu;
        Thu, 17 Jan 2019 05:37:34 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5lMRmp7SUOv/v3cN93lgRqQ6nOw2WN/WnvdgiCAVIAGT2rG4Q3eIt92WDZaoSzxSzrOaEq
X-Received: by 2002:a17:902:784d:: with SMTP id e13mr15234444pln.188.1547732254617;
        Thu, 17 Jan 2019 05:37:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547732254; cv=none;
        d=google.com; s=arc-20160816;
        b=OrEucdjWvTuvoL3FfD7fK+B0UQH6zJDXnntZ3JYsze5yxX/hY9F9d8mGQeWpFEZowJ
         U+ROalDRkTYf+7cPsQCjJDJYrGFktCYOZhYIjFN8BEQe17Y/bWBZGzmcAIQVGtyS96Qk
         GzyCtri4FCMkkkTRa54+uvFgDbVqOAWZn6VKhlX7CWCMKnZCwQz1X6rFmB5CZUqGW//6
         cUalVEn2uLBP62FqlbK+GMsqbgF92LzRVkRcf1tJK4h6MA98Ls9m1Ja+K6brvGIsMw2l
         obkxOBIJAqgf0pGvPAcLDVA1lnxPevCKqFT2DumxAbnxsQtpAbR3ZofO6jSr6srHkg0c
         QdLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=ryVcTEl5q/cbIxyudwCNKkjBsjaLwkUWRsmdGQumEmw=;
        b=GdUcz364WH+YKH7/srxy4jeNw3rj3Y1jOOgrZ9a08NG6iiB0V+kmnlwkDqu/YBtqv0
         1p8kEF4gw1oTaa7tl6ZodABMobtCpcza4Ei54dTRoJE2506MIZ4MvHF/HYbUPrrENJEt
         MzVgclNlxt8l8cWgGvUr/PjFWV7p4EZ0Mk8DYVS+7CXSUybv2LmoyWdayBSIwgMCwUM/
         fU7e5fLUanc6qLAopRSaZn78yZrWg/q8vLUuXhqGBfple68v+HXgaiiqvbjAarlnvrBJ
         DVz6lEMbJ35V6uZWwSh9oHXScY4nO0hBTQFvnifbH4orGAIXmL9YfS3jkn19CyJNXZXu
         8QHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=gmXczKPN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 38si1656130pgx.460.2019.01.17.05.37.18;
        Thu, 17 Jan 2019 05:37:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=gmXczKPN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727781AbfAQNVy (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Thu, 17 Jan 2019 08:21:54 -0500
Received: from mail-lj1-f196.google.com ([209.85.208.196]:39661 "EHLO
        mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727363AbfAQNVx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Jan 2019 08:21:53 -0500
Received: by mail-lj1-f196.google.com with SMTP id t9-v6so8553731ljh.6
        for <linux-kernel@vger.kernel.org>; Thu, 17 Jan 2019 05:21:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ryVcTEl5q/cbIxyudwCNKkjBsjaLwkUWRsmdGQumEmw=;
        b=gmXczKPNRKZaPtcfGbS9bxRl+axZM0sJSTx/XCGpOSbEoEnb23ZwbiG6cWm+WtzfAA
         p55BIwXZ2YsphVpAuhNsVi/wkIz639Xu19VhxCtg5Avnxm4NawpH8h1DrGdh9UwTWHar
         D4JIEOvSuope+1zOAyHlxxxMFh+3hsyLfgprSbUnS/V4bbEMw7/gYblYSlhodA1ptui9
         3OsLyXLAkDrK2zJmuTrM0L7yaPWpd5hzbRAHxRm0SjKRj/AApScxkvAW1Kt44qR/rqaT
         UT2Pyk8EYnCtxOiG87dqAMYZWa2dPq8v6CWuxG9WhRbUnGqafoB03Z1ztwop7OM1+2fW
         koZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ryVcTEl5q/cbIxyudwCNKkjBsjaLwkUWRsmdGQumEmw=;
        b=AvAg0TSk6qwCjo9ZrweHWRhoRQXT/udS71zyn4wmK9FB/OP9OydGFsG22hrDWQGK35
         3jfuGodzVcoN58c3NLLF5wJXhWD5cIt7bM7kVJauXOE1F/jP7KjvgO7VHEZ8laRm0o+E
         EA/DF5KSsYZ37bAwlv5hfF2cKJr7fdyaOJDoASuM9MFlHgaIGnHsdXOEQJltuDvKRIQB
         yF84ZKlm4CCeFJKeYcgQWqPK/5ysf9fSFp2dtEzBbeBs7245GFsFiF0Dqwe2nlrDoZwD
         kM5rtnaVWg7Vs7RKRinIbXWJzEWRjAbOQUai/8XDU7GmuX2+K5dM8P8GsJlFEzQwruMR
         l5KA==
X-Gm-Message-State: AJcUukcLYnKStPbFpiFhmX8Eu4ZErHfKdETUIv835WHU0aut7r+ryOUM
        GvqmNuI0cYCKHs85d+hVHqFTFdimBUA1X570iPoN
X-Received: by 2002:a2e:880a:: with SMTP id x10-v6mr10369552ljh.174.1547731311223;
 Thu, 17 Jan 2019 05:21:51 -0800 (PST)
MIME-Version: 1.0
References: <cover.1544477629.git.rgb@redhat.com> <43548fafdfa98ee64ecfd0d7a69a2f5cb2c31c50.1544477629.git.rgb@redhat.com>
 <CAHC9VhSaTvVgSWVWo42Ur2k6hVNJ1XBkLwrd-J4-SUuidwXUYg@mail.gmail.com> <20190117103255.1f640a42@ivy-bridge>
In-Reply-To: <20190117103255.1f640a42@ivy-bridge>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 17 Jan 2019 08:21:40 -0500
Message-ID: <CAHC9VhQvk+6AFjVU_ygyn8Q6FGwVy_JqXj7wWSNYYp5zSiBcuw@mail.gmail.com>
Subject: Re: [PATCH ghak59 V3 2/4] audit: add syscall information to
 CONFIG_CHANGE records
To:     Steve Grubb <sgrubb@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        Eric Paris <eparis@redhat.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb <sgrubb@redhat.com> wrote:
> On Mon, 14 Jan 2019 17:58:58 -0500
> Paul Moore <paul@paul-moore.com> wrote:
>
> > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs <rgb@redhat.com>
> > wrote:
> > >
> > > Tie syscall information to all CONFIG_CHANGE calls since they are
> > > all a result of user actions.
>
> Please don't tie syscall information to this. The syscall will be
> sendto. We don't need that information, its implicit. Also, doing this
> will possibly wreck things in libauparse. Please test the events with
> ausearch --format csv and --format text. IFF the event looks better or
> the same should we do this. If stuff disappears, the patch is
> breaking things

We've discussed this quite a bit already; connecting associated
records into a single event is something that should happen, needs to
happen, and will happen.  Conceptually it makes no sense to record the
syscall (and any other associated records) which triggers the audit
configuration change, and the configuration change record itself as
two distinct events - they are the same event.  We've also heard from
a prominent user that associating records in this way is desirable.

If the ausearch csv and text audit log transformations can't handle
this particular change, I would consider that a shortcoming of that
code.  We have multi-record events now, and this is only going to
increase in the future.

Richard, if you can't make the requested changes to this patch and
resubmit by ... let's say the middle of next week? that should be
enough time, yes? ... please let me know and I'll make the changes and
get this merged.

-- 
paul moore
www.paul-moore.com