On 08/02/2012 05:12 PM, Miloslav Trmac wrote:
I'm not 100% sure what you mean, but is perhaps auparse_interpret_field what you are looking for? It returns an "intepreted" (as opposed to "raw") version of the field, e.g. a name instead of an UID.
Yes, that's the correct function to call. However it should be done by a plugin which iterates over all the items and adds an interpreted result to the raw result. For long term detached audit purposes you need both the raw and interpreted value. The plugin then emits the augmented data containing both the raw and interpreted values.
-- John Dennis <[email protected]> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
