audit-documentation icon indicating copy to clipboard operation
audit-documentation copied to clipboard
verified publisher icon linux-audit

BUG: skeleton.c handler example should mention it requires binary format + add doc for code format = string mode

Open sgpinkus opened this issue 5 years ago • 2 comments

Please update text in the wiki surrounding the skeleton.c example audispd listener here, to mention it only works correctly plugin conf format set to "binary". The default value is "string".

A note on how data is passed to listeners when format is "string" would also be helpful here. Specifically:

  • assert no header is sent
  • records are newline terminated, so i.e. it's essentially equivalent to tailing the audit.log.
  • clarify guarantees or lack there of about how multi record (line) events are delivered - are they guaranteed to be contiguous? Are they always available all at once without blocking?

sgpinkus avatar Nov 19 '20 07:11 sgpinkus

Let's bring this to @stevegrubb's attention.

pcmoore avatar Nov 19 '20 14:11 pcmoore

With the audit-3.0 design, there is no separate audispd. Everything now is a plugin to auditd. With that change, skeleton.c has been dropped from the codebase. This happened over a year ago.

stevegrubb avatar Nov 23 '20 14:11 stevegrubb