[PATCH] security: lsm_audit: print pid and tid
Paul Moore
paul at paul-moore.com
Thu Aug 18 12:55:59 UTC 2016
On Thu, Aug 18, 2016 at 1:56 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2016-08-17 16:58, Paul Moore wrote:
>> However, as far as I can see, the biggest problem with this patch is
>> that it adds a field in the middle of a record which will likely cause
>> the audit userspace tools to explode (or so I've been warned in the
>> past). Steve, what say you about the userspace?
>
> Adding fields in the middle isn't necessarily a problem if it doesn't
> confuse the existing scanner, which can skip over fields about which it
> does not care. I've carefully added fields in the middle in the past,
> trying my best to group it logically with the rest of the information as
> has been requested, I think: subject, action, object, result.
I've ranted about this before so I won't do it again here, but
ultimately the problem is that the guidance for userspace
applications/libraries has been that you can expect certain fields in
specific locations.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list