[PATCH]: revised make xfrm_audit_log more generic patch
Joy Latten
latten at austin.ibm.com
Tue Jul 24 16:17:58 UTC 2007
On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote:
> > + audit_log_format(audit_buf, "%s: auid=%u", buf, auid);
> >
> > if (sid != 0 &&
> > security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
>
> The operation in buf will not be parsed by the user space tools. Let's
> use "op=%s " where you have "%s: " above. Audit record fields are name=value
> and fields separated by spaces. "op" is what we are using in other places to
> mean operation.
>
> I know its a change from the records above, but we previously had some detail
> about what operation was being performed by the record type and this did not
> matter so much. Now that we only have one event type, the meaning of the
> event being recorded needs to be parsable and in a field.
>
> It also wouldn't hurt to change the text being sent to this function to have a
> hyphen instead of a space, so "SPD delete" becomes "SPD-delete". This keeps
> the parser happy.
>
> This patch otherwise looks good.
Sounds good. I will make the changes and resend.
Thanks!!
Joy
More information about the Linux-audit
mailing list