Re: Kernel audit output is inconsistent, hard to parse
Hello,
John Dennis napsal(a):
The current formatting of the record timestamp
(e.g. audit(ssss.mmm:iii) is inconsistent with
all other name/value pairs. It should be "seconds="sss"
milliseconds="mmm" serial="iii", this allows parsing to be regular
and
consistent.
Isn't this unnecessarily verbose? Just
time="sss.mmm" serial="iii"
would be smaller, easier to read - and it would allow using better time
precision in the future.
It's a judgment call over when and how to introduce change
and the anticipated impact.
If this change is implemented, we should use the
opportunity to clean up
other inconsistencies in audit messages - e.g. different messages use
"success", "res" and "result" fields to record whether the
audited
operation was successful.
Also note that similar changes are necessary in user-space, e.g.
type=USER_ERR ...: ... msg='PAM: bad_ident acct=? :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)'
contains name-value pairs within a value, using both pairs of quotes.
Mirek