Re: [RFC PATCH] specs: update message dictionary with source column
On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
Add a column to indicate the source of the message, including
indicating
whether or not it is related to syscalls.
Column name: SOURCE
Key:
CTL Control messages, usually initiated by audit daemon.
Most of these come from auditctl. Auditd only sends enable and setpid.
DEP Deprecated message types
IND Independent kernel message
USR User message
SC System-call related kernel message
I think that doing it like this is conflating 2 ideas: origin and class.
Origin is user space or kernel. The record class is ctl, dep, simple, and
compound events. There are some cases where things could be user space and
deprecated, or kernel and deprecated. And by its nature, all user space
originating records are simple.
To me, there are overlaps in the meaning. If they were split, this would make
subsetting easier. For example, I can do a join of this csv file and the audit
logs in csv to create an enhanced dataframe. Then I can subset on user
records.
-Steve