Re: [PATCH] auditd: fix missing space with enriched log format
On 09/14, Steve Grubb wrote:
On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote:
> When audit.log is opened with cat or less, for example, with log format
> = ENRICHED, there's no space between data and the enriched part, only
> AUDIT_INTERP_SEPARATOR (0x1d):
This is by design.
I understand that, and the patch doesn't break it.
> type=USER_CMD msg=audit(1631669179.082:2403): ...
res=success'UID="enzo"
> AUID="unset" ^ (0x1d)
>
> sep_done should be checked if it's 1 as well, so a space is added before
> the first enriched field.
Why?
Some people still rely on opening audit.log with tools that are not aware
of the log format.
As far as I could test, the change is only cosmetic, as I expected. I did a
basic test with ausearch and it was ok.
Please clarify if you expect anything else to be affected by this
change.
Cheers,
Enzo