[PATCH] auditd: fix missing space with enriched log format
Enzo Matsumiya
ematsumiya at suse.de
Wed Sep 15 14:52:28 UTC 2021
On 09/14, Steve Grubb wrote:
>On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote:
>> When audit.log is opened with cat or less, for example, with log format
>> = ENRICHED, there's no space between data and the enriched part, only
>> AUDIT_INTERP_SEPARATOR (0x1d):
>
>This is by design.
I understand that, and the patch doesn't break it.
>> type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo"
>> AUID="unset" ^ (0x1d)
>>
>> sep_done should be checked if it's 1 as well, so a space is added before
>> the first enriched field.
>
>Why?
Some people still rely on opening audit.log with tools that are not aware
of the log format.
As far as I could test, the change is only cosmetic, as I expected. I did a
basic test with ausearch and it was ok.
Please clarify if you expect anything else to be affected by this
change.
Cheers,
Enzo
More information about the Linux-audit
mailing list