Re: Questions about the standard (Google Summer of Code Project)

[Steve Grubb <sgrubb@redhat.com>]

On Thursday, July 14, 2016 6:10:00 PM EDT Mateusz Piotrowski wrote:
> Hello,
> 
> Thank you for your reply! It is absolutely amazing. It clarified a lot.
> 
> >> b) Why do some records are separated by a comma and a
> >> 
> >> whitespace? Example:
> >>            type=DAEMON_START msg=audit(1363713609.192:5426): auditd
> >>            start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64
> >>            auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0
> >>            res=success
> > 
> > A long time ago the records were meant to be both human readable (don't
> > laugh) and machine consumable. Over time these have been converted
> > name=value pairs. Even the one you mention above has been fixed.
> 
> I am not sure if I understood; does it mean that: `auditd start, ver=2.2` is
> outdated and deprecated? I’m confused because Debian did produced a log
> file with this element.

Every time that I find something that doe not conform to name=value, I change 
it or submit a patch. The current output is:

type=DAEMON_START msg=audit(1468495169.149:9305): op=start ver=2.6.5 
format=enriched kernel=4.6.3-300.fc24.x86_64 auid=4294967295 pid=987 
subj=system_u:system_r:auditd_t:s0 res=success\x1dAUID="unset"

Audit 2.2 is from March 2012. That is pretty old now. 

Also notice that this event is in the enriched format. Auparse also hides that 
fact so that you don't need to worry about it. If you write your own parser, 
you'll need to handle both formats.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit