Re: ABI guarantee for auditd
On Thursday, January 15, 2015 12:24:38 PM hsultan(a)thefroid.net wrote:
Regarding auditd, what is the ABI guarantee ? Do you guarantee that
the
text contained in audit_reply->msg.data will always be the same format ?
I imagine you reserve the right to add fields, but how about removing
any or even reordering them ?
Its happens on occasion. Requirements change, bugs are found, new features
asked for.
Or are people simply required to use auparse to guarantee they get
records properly ?
Nobody is _required_ to do anything. :-) But, if there are changes, auparse
will definitely be updated because its used for a lot of purposes. I haven't
found a problem yet that it couldn't handle. There are also plans to give it
more capabilities later in the spring.
The intention of the auparse library is that anyone wanting to write an
analytical application can use it to get something working without having to
become an audit expert. You don't have to worry about where to lookup
information to translate the fields from numbers to human readable form.
Also, regarding 'unofficial' ABI compatibility, when has the
audit_reply->msg.data format changed last ? Say these past 3-4 years,
were there any changes in the format or could I use a faster, but
specifically focused parser on the msgs when detecting older releases at
least ?
The format of some events does change on occasion. Usually its after a problem
is identified.
-Steve