From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message()) Date: Tue, 4 Mar 2008 15:52:20 -0500 Message-ID: <200803041552.20741.sgrubb@redhat.com> References: <47CCC6F0.1090005@redhat.com> <47CDB116.7010007@redhat.com> <1204663403.3216.126.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1204663403.3216.126.camel@localhost.localdomain> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 04 March 2008 15:43:23 Eric Paris wrote: > > > =C2=A0If there's no agreement with them, should we change anything? > > > auparse is working pretty good as is. > > > > No it's not. The auparse approach is based on tables, tables which ha= ve > > been shown to be incorrect and tied to kernel versions and the patch = set > > used to build that kernel version. > > Can you show some example of which kernels had one thing and which > kernels another? Some of his examples was the directory auditing code that Al wrote. In th= e=20 user space side of it, I hadn't gotten the interpretation of the fields=20 working because it took a long time for it to come back downstream in Fed= ora=20 and by the time we had it I forgot to go check it. It wasn't like there w= as a=20 field that changed meaning, just a normal integration issue when 2 subsys= tems=20 have different delivery schedules. :) -Steve