I finally bit the bullet and rewrote the SCM audit logic.
Until now, the audit logic was based on the Rule condition evaluating to False. This was actually the opposite of what it should have been. It was originally written from a perspective of “check that this is true. If it isn’t, that’s a problem”, which makes a certain kind of sense if you think about it in that way.
The problem with this logic is that it’s usually the opposite of what you expect it to be. When writing an audit rule, you’re generally checking for something that’s broken. The logic in your head is “if this happens, that’s bad, so tell me”, which is the exact logical opposite of the original logic.
Several times I’ve found myself writing a new audit rule and having it fail in testing, and then doing a facepalm and thinking “oh yeah, that’s right. This thing wants it to be the other way around.” If I have trouble with this, what chance do you have?
So I changed it. And it’s much better this way.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.