On Tuesday, July 16, 2019 12:33:30 PM EDT Lenny Bruzenak wrote: > On 7/16/19 11:14 AM, Steve Grubb wrote: > > Quoting has a specific meaning in audit fields. So, we really shouldn't > > do > > that. We can simply pick another field delimiter. I really don't care > > which it is as long as its illegal for use in a label. For example, we > > use > > > > #define AUDIT_KEY_SEPARATOR 0x01 > > > > to separate key fields. We can pick almost anything. (exclamation mark, > > semi- colon, hash, plus symbol, tilde, 0x02, whatever) But it will need > > to be documented and put into the API so that everyone is aware of the > > convention. > > > > -Steve > > Also should it not be the "#define AUDIT_INTERP_SEPARATOR 0x1D" for > enriched format records?
True. That one is disqualified, too. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
