Draft copy of how to write good events
Steve Grubb
sgrubb at redhat.com
Mon Sep 8 18:35:39 UTC 2014
On Thursday, September 04, 2014 06:08:06 PM Richard Guy Briggs wrote:
> > I assume the mix of new-, new_, old- and old_ are there due to
> > historical raisins and changing them would break userspace...
Yes it would. It can break more than ausearch. For example, there could be an
analysis script that does this:
while au.parse_next_event():
if au.find_field("new_gid"):
do_something()
Changing the event would cause the program to not find the event it was looking
for.
> > Here's a unified diff of a few obvious minor cleanups...
I took most of these changes and added some more changes of my own. A revised
copy has been uploaded.
-Steve
More information about the Linux-audit
mailing list