Preferred subj= with multiple LSMs
Lenny Bruzenak
lenny at magitekltd.com
Tue Jul 16 16:33:30 UTC 2019
On 7/16/19 11:14 AM, Steve Grubb wrote:
> Quoting has a specific meaning in audit fields. So, we really shouldn't do
> that. We can simply pick another field delimiter. I really don't care which it
> is as long as its illegal for use in a label. For example, we use
>
> #define AUDIT_KEY_SEPARATOR 0x01
>
> to separate key fields. We can pick almost anything. (exclamation mark, semi-
> colon, hash, plus symbol, tilde, 0x02, whatever) But it will need to be
> documented and put into the API so that everyone is aware of the convention.
>
> -Steve
Also should it not be the "#define AUDIT_INTERP_SEPARATOR 0x1D" for
enriched format records?
LCB
--
Lenny Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list