Changes to Audit record format
Debora Velarde
dvelarde at us.ibm.com
Thu Mar 16 19:59:17 UTC 2006
>
> Another example to make this more concrete, suppose someone did ausearch
-p
> 200. We have this record with the proposed changes:
>
> type=DAEMON_START msg=audit(1139253971.701:7092) auditd start,
ver=1.0.14,
> format=raw, auid=4294967295 res=success, auditd_pid=200
>
> The field auditd_pid=200 is clearly a pid. Should this record be a
match?
>
> Using the library specs proposed, a programmer would possibly call
>
> ausearch_set_param(au, "pid", "=", "520", AUSEARCH_STOP_EVENT);
>
> Should they have to specify audit_pid or pid? Should they have to
> know all the
> variations on pid?
Why do we need more than just "pid=200"? You already know that it was
auditd by the "auditd start" in the log.
More information about the Linux-audit
mailing list