Audit Parsing Library Requirements
LC Bruzenak
lenny at bruzenak.com
Fri Mar 10 20:32:57 UTC 2006
On Fri, 2006-03-10 at 13:53 -0600, Klaus Weidner wrote:
> On Fri, Mar 10, 2006 at 01:42:00PM -0600, LC Bruzenak wrote:
> > That to me means that the field names are not unique; hence my question.
>
> There's two separate issues here:
>
> - audit records that contain the same field name twice for different
> purposes in a single record. I think this happens in a couple of places
> where uid or something like that is re-used. My preference would be to
> consider this a bug in the audit generation that needs fixing, instead
> of having the parser handle it. (As a side note, any remaining tag names
> containing spaces should also be fixed...)
Yes, and the audit scanner(s) would have to handle/accommodate this
also.
In this scheme is there a distinction between name/value pairs supplied
by the kernel vice those added by userspace or audit-aware applications?
LCB.
--
LC Bruzenak
lenny at bruzenak.com
More information about the Linux-audit
mailing list