[PATCH 1/1] audit: add missing fields to AUDIT_CONFIG_CHANGE event
Paul Moore
paul at paul-moore.com
Fri Oct 13 01:58:20 UTC 2017
On Thu, Oct 12, 2017 at 8:34 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, October 12, 2017 6:51:19 PM EDT Paul Moore wrote:
>> On Thu, Oct 12, 2017 at 6:13 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > On Thursday, October 12, 2017 5:04:41 PM EDT Paul Moore wrote:
>> >> Another reminder that in general I'm not going to accept patches that
>> >> shuffle the fields or insert fields in the middle of a record; if you
>> >> want to add new fields to a record, add them at the end. I see no
>> >> reason to break with the rule for this patch.
>> >
>> > This has never been a rule ...
>>
>> Yes it has, one I've mentioned to you several times both on and off
>> the list. You may disagree with it, but that doesn't mean you are
>> exempt.
>
> I'm speaking on behalf of everyone that has to deal with the events ...
I honestly don't know what to tell you anymore Steve; you seem to
block out all of our past conversations on this matter ... I've heard
all these arguments before, you're not saying anything new, and as a
result my stance remains the same.
> Of these 7 & 9 are the same. So that means following your suggestion, everyone
> has to write 8 parsers for the same event. Does that sound like good
> engineering practice?
Perhaps if the original audit design had used some more of this "good
engineering" we wouldn't be in this situation. Unfortunately that's
not the case, so we need to hobble along with what we have until we
get an opportunity to rework it.
If you want to add new information to existing records, you have my
suggested guidance; I suggest you use it. I'm growing very tired of
repeating this discussion.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list