get_field_str() and interpret_field() bug with multi-word fields
Steve Grubb
sgrubb at redhat.com
Tue Aug 12 21:53:09 UTC 2008
On Tuesday 12 August 2008 17:40:00 John Dennis wrote:
> Bad example, proc works because it's (mostly) well defined.
What does the 25th field in /proc/1/stat mean? You can't tell without looking
at the kernel source code.
> > The point is that all of /proc is written without implicit parsing rules.
> > That's the way it is when dealing with kernel and its user space
> > utilities. There is no field in the kernel that is unhandled by the audit
> > system and without knowing specifically what's in it.
>
> I'm sorry Steve, but this simply doesn't work. How the heck am I
> supposed to correctly parse an audit log file from 5 years ago if either
> I don't know the kernel version that produced it
ausearch --start today -m DAEMON_START
----
time->Tue Aug 12 08:03:52 2008
node=127.0.0.1 type=DAEMON_START msg=audit(1218542632.238:4562): auditd start,
ver=1.7.4 format=raw kernel=2.6.26-0.17.rc3.sg3.fc9.x86_64 auid=4294967295
pid=2139 res=success
> or have available the matching user space tools from that era? This is going
> to be an absolute nightmare for IPA and other compliance tools.
With backwards compatibility you don't have to worry about having tools of
that era.
-Steve
More information about the Linux-audit
mailing list