On Tuesday 12 August 2008 17:40:00 John Dennis wrote: > Bad example, proc works because it's (mostly) well defined.
What does the 25th field in /proc/1/stat mean? You can't tell without looking at the kernel source code. > > The point is that all of /proc is written without implicit parsing rules. > > That's the way it is when dealing with kernel and its user space > > utilities. There is no field in the kernel that is unhandled by the audit > > system and without knowing specifically what's in it. > > I'm sorry Steve, but this simply doesn't work. How the heck am I > supposed to correctly parse an audit log file from 5 years ago if either > I don't know the kernel version that produced it ausearch --start today -m DAEMON_START ---- time->Tue Aug 12 08:03:52 2008 node=127.0.0.1 type=DAEMON_START msg=audit(1218542632.238:4562): auditd start, ver=1.7.4 format=raw kernel=2.6.26-0.17.rc3.sg3.fc9.x86_64 auid=4294967295 pid=2139 res=success > or have available the matching user space tools from that era? This is going > to be an absolute nightmare for IPA and other compliance tools. With backwards compatibility you don't have to worry about having tools of that era. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
