Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2086759imu;
        Thu, 17 Jan 2019 08:11:07 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4L7ofWFkAUusmeN/mpHGF1GNFhD+JiuXL2ZRrjmmPVqUr+/KYDDd5ONdtMOgngOr+s8Uy1
X-Received: by 2002:a17:902:c85:: with SMTP id 5mr15778047plt.339.1547741467681;
        Thu, 17 Jan 2019 08:11:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547741467; cv=none;
        d=google.com; s=arc-20160816;
        b=vP7ADXym+RH+OvKzfmknK/Q/h2JJxBStkVGMFn1V8I1D7onc88/Are6eL2E+NAY3at
         tLrLEODdrdw7xvAEq5NZShF9BwR7TsvF2SB3n2ByBH4kaFnV8deTcNk51B7Ejah9h6U9
         UtAOFJbBKNfACjyT95saYko7+ZKSfZb0Qx7IdrvizBPECBmzU7HIZ35mhgJbAiYZtv5l
         jaQyjGz2i2XjC3yjxxFrqT9Fu29n77HRXT98LMkxNZMm/EV4joeRcyn9g391AR1rxrV8
         SaOSJB3EJ3RcVVuJ3Fn3NU9hJk3tpPGDEFScv1LIVThKgBzrhykWwPhd5qam7VMVoBbm
         SduQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:message-id:subject:cc:to:from
         :date;
        bh=ro6jSrTzz+Ua1IffrGNVgwJtCi+Y/93KFJN8MfaUbOU=;
        b=0lKswiLSLbeNh93AMGHj5lM5m85JYWzYCBNNZ/7f0hZ/Vn2joRrocqIDTXIRS2xsze
         NHvvZB4zPnU3NDi9gT7aOGOPfMnYvaXFAvHx+mLW6/o01+Qpu4uOSB8/t0FJauXKAQix
         AGWAUiJaGcA7EUFl+AcIBAZC92oTqtM9T0NYxFdukGcZPXUiCxogf2CLi71WXQr9GxRQ
         tNFsOtyNwoGRuVAzBjm8QzNyblBrYDp+BqkjXkJW8NfR9aJqn0mDnwF8EJh8QDq3jmtq
         9X9M73tsrgEXApQp3N3JCwyIgZMF1yxnQc3X98GWbr/R4CQR7ZUd1vwb90G1L93JRSV3
         R6/w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 189si2013560pfd.142.2019.01.17.08.10.48;
        Thu, 17 Jan 2019 08:11:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728635AbfAQQIS (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Thu, 17 Jan 2019 11:08:18 -0500
Received: from mx1.redhat.com ([209.132.183.28]:43728 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727584AbfAQQIS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Jan 2019 11:08:18 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 10CC481DF0;
        Thu, 17 Jan 2019 16:08:18 +0000 (UTC)
Received: from ivy-bridge (unknown [10.36.118.67])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 54CE019751;
        Thu, 17 Jan 2019 16:08:16 +0000 (UTC)
Date:   Thu, 17 Jan 2019 17:08:15 +0100
From:   Steve Grubb <sgrubb@redhat.com>
To:     Paul Moore <paul@paul-moore.com>
Cc:     Richard Guy Briggs <rgb@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        Eric Paris <eparis@redhat.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH ghak59 V3 2/4] audit: add syscall information to
 CONFIG_CHANGE records
Message-ID: <20190117170815.40131a69@ivy-bridge>
In-Reply-To: <CAHC9VhQvk+6AFjVU_ygyn8Q6FGwVy_JqXj7wWSNYYp5zSiBcuw@mail.gmail.com>
References: <cover.1544477629.git.rgb@redhat.com>
        <43548fafdfa98ee64ecfd0d7a69a2f5cb2c31c50.1544477629.git.rgb@redhat.com>
        <CAHC9VhSaTvVgSWVWo42Ur2k6hVNJ1XBkLwrd-J4-SUuidwXUYg@mail.gmail.com>
        <20190117103255.1f640a42@ivy-bridge>
        <CAHC9VhQvk+6AFjVU_ygyn8Q6FGwVy_JqXj7wWSNYYp5zSiBcuw@mail.gmail.com>
Organization: Red Hat
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 17 Jan 2019 16:08:18 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 17 Jan 2019 08:21:40 -0500
Paul Moore <paul@paul-moore.com> wrote:

> On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Mon, 14 Jan 2019 17:58:58 -0500
> > Paul Moore <paul@paul-moore.com> wrote:
> >  
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > <rgb@redhat.com> wrote:  
> > > >
> > > > Tie syscall information to all CONFIG_CHANGE calls since they
> > > > are all a result of user actions.  
> >
> > Please don't tie syscall information to this. The syscall will be
> > sendto. We don't need that information, its implicit. Also, doing
> > this will possibly wreck things in libauparse. Please test the
> > events with ausearch --format csv and --format text. IFF the event
> > looks better or the same should we do this. If stuff disappears,
> > the patch is breaking things  
> 
> We've discussed this quite a bit already;

Yes, and you still don't seem be listening. You have to cooperate on
modifying events. We as a community need to respect each other's needs
and work together to solve problems. What this is saying sounds a lot
like I don't care if it breaks things, I'm gonna do it my way. Tough
luck.

You do not have to make sense of any of these events. So, what does it
really matter to you how the event is formed? What I'm asking for is
have these changes been vetted to ensure that they are not breaking
things?

> connecting associated records into a single event is something that
> should happen, needs to happen, and will happen.  Conceptually it
> makes no sense to record the syscall (and any other associated
> records) which triggers the audit configuration change, and the
> configuration change record itself as two distinct events - they are
> the same event.

Except that they are not. The design of the audit system is to save
disk space as much as possible by emitting single record events on
certain event types that are simple. To add a syscall to it adds useless
information (such as a socket address record), slows down processing,
and wastes disk space. If you get a SYSCALL record, that indicates that
you have triggered an event that the system admin has placed explicit
rules on. That is different than the common criteria required
configuration change event. 

>  We've also heard from a prominent user that
> associating records in this way is desirable.
> 
> If the ausearch csv and text audit log transformations can't handle
> this particular change, I would consider that a shortcoming of that
> code.  We have multi-record events now, and this is only going to
> increase in the future.

Isn't there some kind a guideline about not breaking user space?

-Steve

> Richard, if you can't make the requested changes to this patch and
> resubmit by ... let's say the middle of next week? that should be
> enough time, yes? ... please let me know and I'll make the changes and
> get this merged.
>