On Wednesday, September 15, 2021 10:52:28 AM EDT Enzo Matsumiya wrote: > On 09/14, Steve Grubb wrote: > >On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote: > >> When audit.log is opened with cat or less, for example, with log format > >> = ENRICHED, there's no space between data and the enriched part, only > > > >> AUDIT_INTERP_SEPARATOR (0x1d): > >This is by design. > > I understand that, and the patch doesn't break it. > > >> type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo" > >> AUID="unset" ^ (0x1d) > >> > >> sep_done should be checked if it's 1 as well, so a space is added before > >> the first enriched field. > > > >Why? > > Some people still rely on opening audit.log with tools that are not aware > of the log format.
There is another log format, RAW, which should be suitable for the old tools. Also, I don't understand what problems that causes. You haven't exactly explained what the problem is and why this is needed. The ENRICHED format has been documented for over 5 years. Plenty of time for tools to become aware. > As far as I could test, the change is only cosmetic, as I expected. I did a > basic test with ausearch and it was ok. > > Please clarify if you expect anything else to be affected by this > change. Without more context, I am reluctant to change a documented standard that has existed for over 5 years. https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment -Steve -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
