Preferred subj= with multiple LSMs
Steve Grubb
sgrubb at redhat.com
Tue Jul 16 16:37:38 UTC 2019
On Tuesday, July 16, 2019 12:33:30 PM EDT Lenny Bruzenak wrote:
> On 7/16/19 11:14 AM, Steve Grubb wrote:
> > Quoting has a specific meaning in audit fields. So, we really shouldn't
> > do
> > that. We can simply pick another field delimiter. I really don't care
> > which it is as long as its illegal for use in a label. For example, we
> > use
> >
> > #define AUDIT_KEY_SEPARATOR 0x01
> >
> > to separate key fields. We can pick almost anything. (exclamation mark,
> > semi- colon, hash, plus symbol, tilde, 0x02, whatever) But it will need
> > to be documented and put into the API so that everyone is aware of the
> > convention.
> >
> > -Steve
>
> Also should it not be the "#define AUDIT_INTERP_SEPARATOR 0x1D" for
> enriched format records?
True. That one is disqualified, too.
-Steve
More information about the Linux-audit
mailing list