On Wed, May 10, 2006 at 12:02:12PM -0500, Dustin Kirkland wrote: > What about a new field in the audit records that is a bitmask, wherein > bits are flipped on for each field being a "new" or "updated" field? > > Example: > > type=IPC_SET_PERM msg=audit(1146863632.117:98): new_qbytes=0 new_iuid=501 > new_igid=0 new_mode=0 > > becomes: > > type=IPC_SET_PERM msg=audit(1146863632.117:98) new=1111: qbytes=0 iuid=501 > igid=0 mode=0
I'm not sure that's really necessary, the type=IPC_SET_PERM already tells you that these are new values. How about simply the following: type=IPC_SET_PERM msg=audit(1146863632.117:98): qbytes=0 iuid=501 igid=0 mode=0 -Klaus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
