From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: ABI guarantee for auditd
Date: Thu, 15 Jan 2015 15:44:15 -0500
Message-ID: <9201597.kpTtueEqur@x2>
References: <3fbf5caa9cacbccadda7623eabadbc05@thefroid.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <3fbf5caa9cacbccadda7623eabadbc05@thefroid.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, January 15, 2015 12:24:38 PM hsultan@thefroid.net wrote:
> Regarding auditd, what is the ABI guarantee ? Do you guarantee that the
> text contained in audit_reply->msg.data will always be the same format ?
> I imagine you reserve the right to add fields, but how about removing
> any or even reordering them ?

Its happens on occasion. Requirements change, bugs are found, new features 
asked for.

> Or are people simply required to use auparse to guarantee they get
> records properly ?

Nobody is _required_ to do anything. :-)  But, if there are changes, auparse 
will definitely be updated because its used for a lot of purposes. I haven't 
found a problem yet that it couldn't handle. There are also plans to give it 
more capabilities later in the spring.

The intention of the auparse library is that anyone wanting to write an 
analytical application can use it to get something working without having to 
become an audit expert. You don't have to worry about where to lookup 
information to translate the fields from numbers to human readable form.


> Also, regarding 'unofficial' ABI compatibility, when has the
> audit_reply->msg.data format changed last ? Say these past 3-4 years,
> were there any changes in the format or could I use a faster, but
> specifically focused parser on the msgs when detecting older releases at
> least ?

The format of some events does change on occasion. Usually its after a problem 
is identified.

-Steve