[redhat-lspp] Initial CUPS auditing patch
Steve Grubb
sgrubb at redhat.com
Mon Aug 22 18:01:42 UTC 2005
On Monday 22 August 2005 13:39, Matt Anderson wrote:
> How about something like:
>
> CUPS Config: ClassifyOverride is enabled, users can override print banners
>
> CUPS Config: ClassifyOverride is disabled, users cannot override print
> banners
Admittedly, I haven't reviewed this patch to see all the audit messages. But,
I'd like to keep the text as short as possible. We basically need the
operation, who did it, to what, and the outcome. I also need it to be easy to
parse so that you can run ausearch against it and find the unsuccessful
attempts.
A good example of what I mean is the shadow-utils code. I created a generic
logging function that you filled in the necessary parts and it formated the
message so that it could be easily parsed. I will probably extend this
generic logger function to libaudit so there is a standard format. This will
make life easier if we move to a binary format, too.
We can revisit the audit parts of this patch as we get new audit code in
place. Please don't get too hung up on exact wording at this minute - it will
likely need to change for some reason.
-Steve
More information about the Linux-audit
mailing list