Another example to make this more concrete, suppose someone did ausearch
-p
200. We have this record with the proposed changes:
type=DAEMON_START msg=audit(1139253971.701:7092) auditd start,
ver=1.0.14,
format=raw, auid=4294967295 res=success, auditd_pid=200
The field auditd_pid=200 is clearly a pid. Should this record be a
match?
Using the library specs proposed, a programmer would possibly call
ausearch_set_param(au, "pid", "=", "520",
AUSEARCH_STOP_EVENT);
Should they have to specify audit_pid or pid? Should they have to
know all the
variations on pid?
Why do we need more than just "pid=200"? You already know that it was
auditd by the "auditd start" in the log.