[PATCH] IPC_SET_PERM cleanup
Steve Grubb
sgrubb at redhat.com
Wed May 10 18:20:09 UTC 2006
On Wednesday 10 May 2006 14:05, Linda Knippers wrote:
> We have existing code we're supporting that doesn't use your parser and
> we're not planning to re-write our code.
You'll have to make some mods to it, things have changed in various places.
> I don't know how many other people are in the same position. I also think
> its helpful if the output of ausearch is easily grepable.
It will be. Nothing has changed here.
> I think what these examples show is that there is no consistency.
It shows that modifiers are not being added to every keyword.
> > "audit_rate_limit=%d old=%d by auid=%u"
> > "audit_backlog_limit=%d old=%d by auid=%u"
>
> What does "by" signify as a modifier?
Its not a modifier, its there for human readability.
> >>especially since there's currently no well defined concept of name
> >> modifiers like "new"
> >
> > Its used in many places, but you are more likely to run across old. The
> > function in the specs that was intended to do this was:
> >
> > const char *auparse_get_field_name_aux(auparse_state_t *au) - return
> > supplemental information about the field's name.
>
> If I used the APIs then I have to look at the aux information for a
> bunch of records I don't want because I can't directly search for the
> ones I do?
Or use reg expr matching.
-Steve
More information about the Linux-audit
mailing list