On Wed, May 10, 2006 at 10:02:31AM -0400, Steve Grubb wrote: > On Tuesday 09 May 2006 16:46, Linda Knippers wrote: > > > The original patches by Dustin and Linda had used "new_iuid=501" to > > > differentiate the values, which I personally think was fine since it's > > > unlikely that people want to be searching for those. > > > > And if they do, they're easy to find with an ausearch | grep. > > This is at the wrong level. There may be people that are writing programs > that > want any ouid. I want to stop the proliferation of field names and follow a > convention. Forget whether or not you think people will ever want the > information. We need a convention and then to follow it.
Yes - but "new ouid" is also a different field name from "ouid", and unnecessarily hard to parse, especially since there's currently no well defined concept of name modifiers like "new". > > > If you absolutely want to avoid adding new tag names, an alternative > > > would be to get rid of the "new " modifiers, and use the "type=" name to > > > differentiate them. > > I don't want a proliferation of type names either. I think we have a lot of > them and should try to use existing ones where possible. A list of existing record types would be useful. In this case, it's a legitimate difference between "current object attributes" and "requested new object attributes" sub-records that need to be distinct for the syscall event, so using different types sounds appropriate. -Klaus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
