Re: get_field_str() and interpret_field() bug with multi-word fields
On Tuesday 12 August 2008 17:40:00 John Dennis wrote:
Bad example, proc works because it's (mostly) well defined.
What does the 25th field in /proc/1/stat mean? You can't tell without looking
at the kernel source code.
> The point is that all of /proc is written without implicit
parsing rules.
> That's the way it is when dealing with kernel and its user space
> utilities. There is no field in the kernel that is unhandled by the audit
> system and without knowing specifically what's in it.
I'm sorry Steve, but this simply doesn't work. How the heck am I
supposed to correctly parse an audit log file from 5 years ago if either
I don't know the kernel version that produced it
ausearch --start today -m DAEMON_START
----
time->Tue Aug 12 08:03:52 2008
node=127.0.0.1 type=DAEMON_START msg=audit(1218542632.238:4562): auditd start,
ver=1.7.4 format=raw kernel=2.6.26-0.17.rc3.sg3.fc9.x86_64 auid=4294967295
pid=2139 res=success
or have available the matching user space tools from that era? This
is going
to be an absolute nightmare for IPA and other compliance tools.
With backwards compatibility you don't have to worry about having tools of
that era.
-Steve