Re: Kernel audit output is inconsistent, hard to parse

Hello, John Dennis napsal(a): > The current formatting of the record timestamp > (e.g. audit(ssss.mmm:iii) is inconsistent with > all other name/value pairs. It should be "seconds="sss" > milliseconds="mmm" serial="iii", this allows parsing to be regular and > consistent. Isn't this unnecessarily verbose? Just time="sss.mmm" serial="iii" would be smaller, easier to read - and it would allow using better time precision in the future.

> It's a judgment call over when and how to introduce change > and the anticipated impact. If this change is implemented, we should use the opportunity to clean up other inconsistencies in audit messages - e.g. different messages use "success", "res" and "result" fields to record whether the audited operation was successful. Also note that similar changes are necessary in user-space, e.g. type=USER_ERR ...: ... msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)' contains name-value pairs within a value, using both pairs of quotes.