[PATCH] IPC_SET_PERM cleanup
Klaus Weidner
klaus at atsec.com
Tue May 9 16:33:38 UTC 2006
On Tue, May 09, 2006 at 11:55:34AM -0400, Steve Grubb wrote:
> I even updated the audit parsing specs to include all keywords:
> http://people.redhat.com/sgrubb/audit/audit-parse.txt
[...]
> Does ouid and ogid not fit? I'd like us to define what we need in the parser
> API and then use it in the audit messages. Ancilliary words like new, old,
> last, first should not be tied with an underscore. If you find any, let me
> know.
The spec doesn't define what ancillary words are, the syntax it describes
is that the audit record consists of key=value pairs.
I think the options are the following:
- adapt the spec to define ancillary words such as "new".
- add the new_THING field names to the spec (and/or rename them to
nTHING).
- use unmodified THING field names, and use the record type name to
disambiguate them.
I dislike the ancillary words since it violates the key=value format (and
the principle of least surprise), and it makes parsing more complex.
Either of the other two options would be ok with me, but I agree with
Steve that any new field names should be documented in the spec and not
just added gratuitously.
(Back in November I had proposed hierarchically structured audit records,
which would have supported structs with named fields directly, but that
discussion died in favor of ad-hoc printfs...)
-Klaus
More information about the Linux-audit
mailing list