get_field_str() and interpret_field() bug with multi-word fields
LC Bruzenak
lenny at magitekltd.com
Wed Aug 13 17:30:27 UTC 2008
On Wed, 2008-08-13 at 13:02 -0400, Steve Grubb wrote:
>
>
> There is a problem with any format. How would changing to binary help
> when we realize that we forgot auid in CONFIG_CHANGE? The only thing
> that might help is to stab a version number into each record because
> its size is going to change. This is going to lead to much more
> complex code in the parser.
I was thinking along those lines also - that if there was an identifier
embedded in the audit data that the parser could read, it could know if
it could parse it or not.
Then the matching parser format could be used if it were separated out
as a plugin. Not sure it would need to be each record but maybe just in
the auditd start event?
Maybe this isn't really practicable per se, but if there is a way to
future-proof the data/format pair rather than maintain perpetual
backwards compatibility over advancements I'd think it worthwhile.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list