On Tue, May 09, 2006 at 11:55:34AM -0400, Steve Grubb wrote: > I even updated the audit parsing specs to include all keywords: > http://people.redhat.com/sgrubb/audit/audit-parse.txt [...] > Does ouid and ogid not fit? I'd like us to define what we need in the parser > API and then use it in the audit messages. Ancilliary words like new, old, > last, first should not be tied with an underscore. If you find any, let me > know.
The spec doesn't define what ancillary words are, the syntax it describes is that the audit record consists of key=value pairs. I think the options are the following: - adapt the spec to define ancillary words such as "new". - add the new_THING field names to the spec (and/or rename them to nTHING). - use unmodified THING field names, and use the record type name to disambiguate them. I dislike the ancillary words since it violates the key=value format (and the principle of least surprise), and it makes parsing more complex. Either of the other two options would be ok with me, but I agree with Steve that any new field names should be documented in the spec and not just added gratuitously. (Back in November I had proposed hierarchically structured audit records, which would have supported structs with named fields directly, but that discussion died in favor of ad-hoc printfs...) -Klaus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
