[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Changes to Audit record format



> 
> Another example to make this more concrete, suppose someone did ausearch 
-p 
> 200. We have this record with the proposed changes:
> 
> type=DAEMON_START msg=audit(1139253971.701:7092) auditd start, 
ver=1.0.14, 
> format=raw, auid=4294967295 res=success, auditd_pid=200
> 
> The field auditd_pid=200 is clearly a pid. Should this record be a 
match? 
> 
> Using the library specs proposed, a programmer would possibly call 
> 
> ausearch_set_param(au, "pid", "=", "520", AUSEARCH_STOP_EVENT);
> 
> Should they have to specify audit_pid or pid? Should they have to 
> know all the 
> variations on pid?

Why do we need more than just "pid=200"?  You already know that it was 
auditd by the "auditd start" in the log.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]