[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [graphics 06448] [PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs



Hello Steve, 

> echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1'

Why the message which type is "CONFIG_CHANGE" contains "key" field? 
The "CONFIG_CHANGE" audit message should only describe the audit object status.

You can get the audit message by following steps:
1. # touch test1
2. # auditctl -w `pwd`/test1 -k haha
3. # mv test1 test2

I think we'd better not output "key" field in "CONFIG_CHANGE" message.
What's your opinion? If you agree with me, I'll make a patch for kernel. 

Peng Haitao said the following on 2008-07-29 13:41:
> Hello Steve, 
> 
> Use option '-k key-string' cannot search out the log which contains the given key-string and message type is CONFIG_CHANGE.
> 
> For example:
> echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1' | ausearch -k haha
> The output is: <no matches>
> 
> Signed-off-by: Peng Haitao <penght cn fujitsu com>
> ---
>  src/ausearch-parse.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++--
>  1 files changed, 52 insertions(+), 3 deletions(-)
> 
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 0c38be1..fd00013 100755
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  	errno = 0;
>  	s->loginuid = strtoul(ptr, NULL, 10);
>  	if (errno)
> -		return 2;
> +		return 1;
>  	if (term)
>  		*term = ' ';
>  	else
> @@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  				else	// Set it back to something sane
>  					term = str;
>  			} else
> -				return 3;
> +				return 2;
> +		}
> +	}
> +
> +	if (event_key) {
> +		str = strstr(term, "key=");
> +		if (str != NULL) {
> +			if (!s->key) {
> +				//create
> +				s->key = malloc(sizeof(slist));
> +				if (s->key == NULL)
> +					return 3;
> +				slist_create(s->key);
> +			}
> +			ptr = str + 4;
> +			if (*ptr == '"') {
> +				ptr++;
> +				term = strchr(ptr, '"');
> +				if (term != NULL) {
> +					*term = 0;
> +					if (s->key) {
> +						// append
> +						snode sn;
> +						sn.str = strdup(ptr);
> +						sn.key = NULL;
> +						sn.hits = 1;
> +						slist_append(s->key, &sn);
> +					}
> +					*term = '"';
> +				} else
> +					return 4;
> +			} else {
> +				if (s->key) {
> +					char *saved=NULL;
> +					char *keyptr = unescape(ptr);
> +					char *kptr = strtok_r(keyptr,
> +						key_sep, &saved);
> +					while (kptr) {
> +						snode sn;
> +						// append
> +						sn.str = strdup(kptr);
> +						sn.key = NULL;
> +						sn.hits = 1;
> +						slist_append(s->key, &sn);
> +						kptr = strtok_r(NULL,
> +							key_sep, &saved);
> +					}
> +					free(keyptr);
> +				}
> +			}
>  		}
>  	}
>  
> @@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  		errno = 0;
>  		s->success = strtoul(ptr, NULL, 10);
>  		if (errno)
> -			return 4;
> +			return 5;
>  		if (term)
>  			*term = ' ';
>  	}


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]