From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auparse feature or bug Date: Thu, 14 Mar 2013 08:55:21 -0400 Message-ID: <2599992.ocqfYEco8c@x2> References: <1363256490.3199.23.camel@swtf.swtf.dyndns.org> <2011116.HnREtfWCp5@x2> <1363259442.3199.44.camel@swtf.swtf.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1363259442.3199.44.camel@swtf.swtf.dyndns.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: burn@swtf.dyndns.org Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, March 14, 2013 10:10:42 PM Burn Alting wrote: > OK. So, in essence, the example I provided is a just poorly formatted > event from PAM. Or rather, one that can't be parsed by the auparse > library without loss of data. I think that is a fair assessment. Sometimes changes get made to the events without understanding how they affect people that really need correct audit events. For example, shadow-utils upstream made changes and without any coordination. Now there are about 200 places that need patching to fix all the audit problems. -Steve > On Thu, 2013-03-14 at 06:54 -0400, Steve Grubb wrote: > > On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote: > > > As you can see, we have lost the 'password' element of the > > > > > > "op=change password" > > > > > > key value pair in the original event. > > > > > > Is this a feature or bug??? > > > > Its a feature. The only thing guaranteed by the audit system is that > > name=value pairs are supported. Additional text may be there to add > > context > > for people reading the event. But for machine parsing only name=value is > > returned. So, if the additional text is needed, then either '-' or '_' can > > be added between words (as many other events do). > > > > -Steve