On Thu, Aug 18, 2016 at 1:56 AM, Richard Guy Briggs <[email protected]> wrote: > On 2016-08-17 16:58, Paul Moore wrote: >> However, as far as I can see, the biggest problem with this patch is >> that it adds a field in the middle of a record which will likely cause >> the audit userspace tools to explode (or so I've been warned in the >> past). Steve, what say you about the userspace? > > Adding fields in the middle isn't necessarily a problem if it doesn't > confuse the existing scanner, which can skip over fields about which it > does not care. I've carefully added fields in the middle in the past, > trying my best to group it logically with the rest of the information as > has been requested, I think: subject, action, object, result.
I've ranted about this before so I won't do it again here, but ultimately the problem is that the guidance for userspace applications/libraries has been that you can expect certain fields in specific locations. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
