New field to auditd.conf file

Steve Grubb sgrubb at redhat.com
Wed Apr 20 12:30:31 UTC 2016 

On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> In general way,Is there any compatibility issues if audit log structure
> gets modified?

Yes, there can be problems if the log structure gets modified. Ausearch/report 
are highly optimized for an exact format.

-Steve


> On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > As per my understanding audit log structure can be extendible based on
> > > requirements and in my project I need to add the identifier field for
> > > the
> > > application and as of now I couldn't able to revel the What application
> > > trying to develop to update.So,Is there any possibility that without
> > > breaking any Compatibility issues I can do it ?
> > 
> > I have no idea what you are doing so there is no guarantee that it won't
> > break
> > something. If your project is going to be released as open source its
> > generally best to collaborate with people so that problems can be pointed
> > out.
> > Otherwise you risk spending a lot of time on something only to have it
> > rejected.
> > 
> > -Steve
> > 
> > > OR If any compatibility issues please specify .
> > > 
> > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul at paul-moore.com> wrote:
> > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > > 
> > > > <sundar.deepika18 at gmail.com> wrote:
> > > > > In the same way, in the kernel side
> > > > > Can I able to add one new field to the audit log structure without
> > > > 
> > > > breaking
> > > > 
> > > > > Compatibility? If so,
> > > > > 
> > > > >   1.How can I add new field without breaking compatibility?
> > > > >   
> > > > >      or
> > > > >   
> > > > >   2.Is there any reserve field in audit log structure so that I can
> > 
> > make
> > 
> > > > use
> > > > 
> > > > >     of it?
> > > > 
> > > > You need to be more specific about what you are trying to do.
> > > > Speaking generally, unless you work to get your changed merged into
> > > > the upstream kernel and userspace tools we cannot guarantee present or
> > > > future compatibility.
> > > > 
> > > > --
> > > > paul moore
> > > > www.paul-moore.com

More information about the Linux-audit mailing list