[PATCH] auditd: fix missing space with enriched log format
Steve Grubb
sgrubb at redhat.com
Wed Sep 15 17:44:52 UTC 2021
On Wednesday, September 15, 2021 10:52:28 AM EDT Enzo Matsumiya wrote:
> On 09/14, Steve Grubb wrote:
> >On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote:
> >> When audit.log is opened with cat or less, for example, with log format
> >> = ENRICHED, there's no space between data and the enriched part, only
> >
> >> AUDIT_INTERP_SEPARATOR (0x1d):
> >This is by design.
>
> I understand that, and the patch doesn't break it.
>
> >> type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo"
> >> AUID="unset" ^ (0x1d)
> >>
> >> sep_done should be checked if it's 1 as well, so a space is added before
> >> the first enriched field.
> >
> >Why?
>
> Some people still rely on opening audit.log with tools that are not aware
> of the log format.
There is another log format, RAW, which should be suitable for the old tools.
Also, I don't understand what problems that causes. You haven't exactly
explained what the problem is and why this is needed. The ENRICHED format has
been documented for over 5 years. Plenty of time for tools to become aware.
> As far as I could test, the change is only cosmetic, as I expected. I did a
> basic test with ausearch and it was ok.
>
> Please clarify if you expect anything else to be affected by this
> change.
Without more context, I am reluctant to change a documented standard that has
existed for over 5 years.
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment
-Steve
More information about the Linux-audit
mailing list