Auparse feature or bug
Steve Grubb
sgrubb at redhat.com
Thu Mar 14 12:55:21 UTC 2013
On Thursday, March 14, 2013 10:10:42 PM Burn Alting wrote:
> OK. So, in essence, the example I provided is a just poorly formatted
> event from PAM. Or rather, one that can't be parsed by the auparse
> library without loss of data.
I think that is a fair assessment. Sometimes changes get made to the events
without understanding how they affect people that really need correct audit
events. For example, shadow-utils upstream made changes and without any
coordination. Now there are about 200 places that need patching to fix all the
audit problems.
-Steve
> On Thu, 2013-03-14 at 06:54 -0400, Steve Grubb wrote:
> > On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote:
> > > As you can see, we have lost the 'password' element of the
> > >
> > > "op=change password"
> > >
> > > key value pair in the original event.
> > >
> > > Is this a feature or bug???
> >
> > Its a feature. The only thing guaranteed by the audit system is that
> > name=value pairs are supported. Additional text may be there to add
> > context
> > for people reading the event. But for machine parsing only name=value is
> > returned. So, if the additional text is needed, then either '-' or '_' can
> > be added between words (as many other events do).
> >
> > -Steve
More information about the Linux-audit
mailing list