Hello,
John Dennis napsal(a):
The current formatting of the record timestamp
(e.g. audit(ssss.mmm:iii) is inconsistent with
all other name/value pairs. It should be "seconds="sss"
milliseconds="mmm" serial="iii", this allows parsing to be regular and
consistent.
Isn't this unnecessarily verbose? Just
time="sss.mmm" serial="iii"
would be smaller, easier to read - and it would allow using better time
precision in the future.
It's a judgment call over when and how to introduce change
and the anticipated impact.
If this change is implemented, we should use the opportunity to clean up
other inconsistencies in audit messages - e.g. different messages use
"success", "res" and "result" fields to record whether the audited
operation was successful.
Also note that similar changes are necessary in user-space, e.g.
type=USER_ERR ...: ... msg='PAM: bad_ident acct=? :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)'
contains name-value pairs within a value, using both pairs of quotes.
Mirek
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
