[RFC][PATCH] collect security labels on user processes generating audit messages
Steve Grubb
sgrubb at redhat.com
Wed Feb 15 16:22:37 UTC 2006
This should be a separate thread since the topic is different.
On Wednesday 15 February 2006 11:14, Linda Knippers wrote:
> Amy submitted a patch a while back to eliminate the "name=" field
> to avoid "name=(null)" from the audit records if there was no name
> but I don't think the patch went anywhere.
Right. I want all audit fields to have name=value. If we have %s in the
message and pass NULL to it, snprintf is already going to put "(null)" so
what's wrong with just using this precedent?
> It looks like there's a new case (for tty) where "(none)" is used.
Yes for the same reason.
> It would be nice to avoid having this in the audit records, especially
> in this case where the value might never be set on a particular system.
It creates parsing problems without a value. If I saw "tty=" and that's all,
I'd think the audit system malfunctioned and file a bugzilla. I don't want
that.
-Steve
More information about the Linux-audit
mailing list