Audit Parsing Library Requirements
Michael C Thompson
mcthomps at us.ibm.com
Thu Mar 9 19:13:59 UTC 2006
Steve Grubb <sgrubb at redhat.com> wrote on 03/09/2006 12:59:01 PM:
> On Thursday 09 March 2006 11:48, Michael C Thompson wrote:
> > What sort of search options can you set?
>
> Oh...how about any?
Any - good to know. Sometimes people have mental models which incorperate
limits which aren't clearly communicated, hence the question.
>
> > Are these basically the same that ausearch allows?
>
> We could limit it to that and it would be faster...or it could be more.
Do we
> need to search on all field or just have access to all fields?
>From a testing/tester standpoint, if I understand ausearc's purpose
correctly, it would be nice to be able to specify and field/value pair. My
understanding of auserach is to set up our search paramters (through many
tedious function calls! <humor, ignore it if you don't find funny>), and
then call ausearch_next_event to begin returning records which match the
parameters we've set. If this is the case, from a testing standpoint, it
would be nice to be able to set up the parameters on every value of the
record as we expect it to look. Obviously, if this is deemed unreasonable,
there are other ways to do this type of checking, but if it could be
incoperated right into the library, it would decrease complexity for the
caller if this is their objective.
Mike
>
> -Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060309/fc870aec/attachment.htm>
More information about the Linux-audit
mailing list