ABI guarantee for auditd
Steve Grubb
sgrubb at redhat.com
Thu Jan 15 20:44:15 UTC 2015
On Thursday, January 15, 2015 12:24:38 PM hsultan at thefroid.net wrote:
> Regarding auditd, what is the ABI guarantee ? Do you guarantee that the
> text contained in audit_reply->msg.data will always be the same format ?
> I imagine you reserve the right to add fields, but how about removing
> any or even reordering them ?
Its happens on occasion. Requirements change, bugs are found, new features
asked for.
> Or are people simply required to use auparse to guarantee they get
> records properly ?
Nobody is _required_ to do anything. :-) But, if there are changes, auparse
will definitely be updated because its used for a lot of purposes. I haven't
found a problem yet that it couldn't handle. There are also plans to give it
more capabilities later in the spring.
The intention of the auparse library is that anyone wanting to write an
analytical application can use it to get something working without having to
become an audit expert. You don't have to worry about where to lookup
information to translate the fields from numbers to human readable form.
> Also, regarding 'unofficial' ABI compatibility, when has the
> audit_reply->msg.data format changed last ? Say these past 3-4 years,
> were there any changes in the format or could I use a faster, but
> specifically focused parser on the msgs when detecting older releases at
> least ?
The format of some events does change on occasion. Usually its after a problem
is identified.
-Steve
More information about the Linux-audit
mailing list