I'm working on a binary format for the linux-audit system as part of a university research project.
The goal is having something similar to BSM trails. What do you think about it? 2008/8/14, Stephen Smalley <[EMAIL PROTECTED]>: > > On Wed, 2008-08-13 at 13:25 -0300, Klaus Heinrich Kiwi wrote: >> On Wed, 2008-08-13 at 11:09 -0400, Eric Paris wrote: >> > HAHAHA, kernel output xml? dream on :) I'm willing to do >> > wholesale >> > output changes, but something that heavy in kernel is impossible to >> > push. I can just see Al cussing up a storm as he read that. >> >> That's exactly my point. There's no sense in discussing a 'ideal' format >> for audit stream coming out of the kernel, since it's well agreed >> (thankfully) that the kernel part should be as minimal as possible. >> >> I like Mathew's idea of having a binary format though. Maybe it's >> possible to carry the legacy format for some time while we have a more >> robust (and extensible) binary format in parallel? And then having a >> binary format version tag within each record? >> >> I know I know, at the time I have more questions than answers. I only >> wanted to express my feeling that there is indeed a problem with the >> current format. >> >> I know you and Steve tried before to talk with the SELinux guys trying >> to have a saner format for AVCs and stuff. Do you feel that's an >> impossible barrier to cross or maybe we try again and convince them that >> stricter formatting rules will bring more users for their audit data? > > If you want to ask the "SELinux guys", ask on the [EMAIL PROTECTED] > list. But in this case: we've always been willing to take changes to > the AVC audit format; we have merely pointed out that it has to be done > in a way that provides full backward compatibility both in kernel and in > the userland, as we are not allowed to break existing userland with new > kernel and we'd like new userland to still work on old kernels. Patches > that meet those standards accepted. > > -- > Stephen Smalley > National Security Agency > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- Matteo Michelini (Milan - Italy) http://www.michelini.co.uk Linux registered user: #332873 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
