On Thursday, March 14, 2013 10:10:42 PM Burn Alting wrote: > OK. So, in essence, the example I provided is a just poorly formatted > event from PAM. Or rather, one that can't be parsed by the auparse > library without loss of data.
I think that is a fair assessment. Sometimes changes get made to the events without understanding how they affect people that really need correct audit events. For example, shadow-utils upstream made changes and without any coordination. Now there are about 200 places that need patching to fix all the audit problems. -Steve > On Thu, 2013-03-14 at 06:54 -0400, Steve Grubb wrote: > > On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote: > > > As you can see, we have lost the 'password' element of the > > > > > > "op=change password" > > > > > > key value pair in the original event. > > > > > > Is this a feature or bug??? > > > > Its a feature. The only thing guaranteed by the audit system is that > > name=value pairs are supported. Additional text may be there to add > > context > > for people reading the event. But for machine parsing only name=value is > > returned. So, if the additional text is needed, then either '-' or '_' can > > be added between words (as many other events do). > > > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
