From mboxrd@z Thu Jan 1 00:00:00 1970 From: Miloslav =?UTF-8?Q?Trma=C4=8D?= Subject: [PATCH] Handle timestamp 0.0 in auparse, was Re: audit-viewer help needed Date: Mon, 22 Sep 2008 23:30:21 +0000 Message-ID: <1222126221.2685.81.camel@amilo> References: <1221782548.6783.30.camel@homeserver> <1221812917.2947.10.camel@amilo> <1221830658.6513.4.camel@homeserver> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-lZB0WT4qk7G8ytv6fe9K" Return-path: In-Reply-To: <1221830658.6513.4.camel@homeserver> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LC Bruzenak , linux-audit List-Id: linux-audit@redhat.com --=-lZB0WT4qk7G8ytv6fe9K Content-Type: text/plain Content-Transfer-Encoding: 7bit Hello, the attached patch modifies auparse not to handle timestamp 0.x specially by using out-of-band information (parse_state == EVENT_EMPTY) instead of assuming (au->le.e.sec == 0) has a special meaning. As far as I can see, this the two conditions are equivalent if no event has a timestamp 0.x. The patch also decreases the assumed minimal length of a timestamp. I have tested this only minimally - I have checked that (make check) succeeds, and that audit-viewer doesn't crash on startup. This patch fixes handling of the following Lenny's audit record: > node=hugo type=AVC msg=audit(0.000:6760): avc: denied { recvfrom } > for pid=2589 comm="lockd" saddr=127.0.0.1 src=687 daddr=127.0.0.1 > dest=111 netif=lo scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=association I'm curious how this audit record could have been created (notabile is that the previous record has a sequence ID 6758 and a reasonable timestamp). Lenny, Steve, any ideas? Thank you, Mirek --=-lZB0WT4qk7G8ytv6fe9K Content-Disposition: attachment; filename=audit-sec0.patch Content-Type: text/x-patch; name=audit-sec0.patch; charset=UTF-8 Content-Transfer-Encoding: 7bit Index: auparse/auparse.c =================================================================== --- auparse/auparse.c (revision 123) +++ auparse/auparse.c (working copy) @@ -666,7 +666,7 @@ char *ptr; errno = 0; - ptr = strchr(s+10, ':'); + ptr = strchr(s+3, ':'); if (ptr) { e->serial = strtoul(ptr+1, NULL, 10); *ptr = 0; @@ -1033,7 +1033,7 @@ /* Accessors to event data */ const au_event_t *auparse_get_timestamp(auparse_state_t *au) { - if (au && au->le.e.sec != 0) + if (au && au->parse_state != EVENT_EMPTY) return &au->le.e; else return NULL; @@ -1251,7 +1251,7 @@ free(au->find_field); au->find_field = strdup(name); - if (au->le.e.sec) { + if (au->parse_state != EVENT_EMPTY) { const char *cur_name; rnode *r; @@ -1275,7 +1275,7 @@ errno = EINVAL; return NULL; } - if (au->le.e.sec) { + if (au->parse_state != EVENT_EMPTY) { int moved = 0; rnode *r = aup_list_get_cur(&au->le); @@ -1299,7 +1299,7 @@ /* Accessors to field data */ const char *auparse_get_field_name(auparse_state_t *au) { - if (au->le.e.sec) { + if (au->parse_state != EVENT_EMPTY) { rnode *r = aup_list_get_cur(&au->le); if (r) return nvlist_get_cur_name(&r->nv); @@ -1310,7 +1310,7 @@ const char *auparse_get_field_str(auparse_state_t *au) { - if (au->le.e.sec) { + if (au->parse_state != EVENT_EMPTY) { rnode *r = aup_list_get_cur(&au->le); if (r) return nvlist_get_cur_val(&r->nv); @@ -1321,7 +1321,7 @@ int auparse_get_field_type(auparse_state_t *au) { - if (au->le.e.sec) { + if (au->parse_state != EVENT_EMPTY) { rnode *r = aup_list_get_cur(&au->le); if (r) return nvlist_get_cur_type(r); @@ -1347,7 +1347,7 @@ const char *auparse_interpret_field(auparse_state_t *au) { - if (au->le.e.sec) { + if (au->parse_state != EVENT_EMPTY) { rnode *r = aup_list_get_cur(&au->le); if (r) return nvlist_interp_cur_val(r); --=-lZB0WT4qk7G8ytv6fe9K Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --=-lZB0WT4qk7G8ytv6fe9K--