Re: [PATCH] security: lsm_audit: print pid and tid
On Thu, Aug 18, 2016 at 1:56 AM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2016-08-17 16:58, Paul Moore wrote:
> However, as far as I can see, the biggest problem with this patch is
> that it adds a field in the middle of a record which will likely cause
> the audit userspace tools to explode (or so I've been warned in the
> past). Steve, what say you about the userspace?
Adding fields in the middle isn't necessarily a problem if it doesn't
confuse the existing scanner, which can skip over fields about which it
does not care. I've carefully added fields in the middle in the past,
trying my best to group it logically with the rest of the information as
has been requested, I think: subject, action, object, result.
I've ranted about this before so I won't do it again here, but
ultimately the problem is that the guidance for userspace
applications/libraries has been that you can expect certain fields in
specific locations.
--
paul moore
www.paul-moore.com