Audit Event Enrichment ====================== There are times when the audit events are stored in another machine and need to be searched at a later date. Some parts of the audit event are transient in nature or unique to a system. This makes interpretting fields that are numbers into human readable fields hard or impossible without running a report at the time of the event or on the machine the event occurred on. To address this issue, the audit daemon will get a new log_format, ENRICHED, where the audit trail will be amended as follows at the time a record is recieved from the kernel: 1) Translations will be: a) appended to the end of the event with the field's name in capital letters b) encoded if user controlled data is used for enrichment 2) The auparse library will: a) preferentially use these fields whenever an interpretation is requested b) if none exist, look up the fields on the local machine if necessary 3) Ausearch will hide them except when --raw command line option is given 4) The fields that will be resolved at event time are: a) *uid (translation is user defined) b) *gid (translation is admin defined) c) saddr (split in constituent pieces) d) arch e) syscall