On 7/16/19 11:14 AM, Steve Grubb wrote: > Quoting has a specific meaning in audit fields. So, we really shouldn't do > that. We can simply pick another field delimiter. I really don't care which > it > is as long as its illegal for use in a label. For example, we use > > #define AUDIT_KEY_SEPARATOR 0x01 > > to separate key fields. We can pick almost anything. (exclamation mark, semi- > colon, hash, plus symbol, tilde, 0x02, whatever) But it will need to be > documented and put into the API so that everyone is aware of the convention. > > -Steve
Also should it not be the "#define AUDIT_INTERP_SEPARATOR 0x1D" for enriched format records? LCB -- Lenny Bruzenak MagitekLTD -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
