From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: ausearch results differ with "-i" flag
Date: Tue, 16 Mar 2010 17:18:26 -0500
Message-ID: <1268777906.30348.202.camel@lcb>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com
	[10.5.110.8])
	by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o2GMIjAC003359
	for <linux-audit@redhat.com>; Tue, 16 Mar 2010 18:18:45 -0400
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2GMIRDQ015029
	for <linux-audit@redhat.com>; Tue, 16 Mar 2010 18:18:28 -0400
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by mail.magitekltd.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <lenny@magitekltd.com>) id 1Nrf5Z-0007y9-Ge
	for linux-audit@redhat.com; Tue, 16 Mar 2010 17:18:13 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

I am doing an ausearch and noticed that with the "-i" flag the "comm="
field appears to lose the data.
The bad thing is that this appears inside the "msg=" string, and I feel
that it shouldn't be interpreting those values anyway.

I saw that the audit-viewer does parse out the "comm=" field correctly
when I look at the same event.

First the event without the "-i" flag:
----
time->Tue Mar 16 21:53:50 2010
node=jcdx type=USER_AVC msg=audit(1268776430.236:6808): user pid=2835
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
{ write } for request=X11:PolyRectangle comm=MLTracks resid=5d
restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511
tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
----


Same event appears to lose the "comm" field with the "-i" flag:
----
node=jcdx type=USER_AVC msg=audit(03/16/2010 21:53:50.236:6808) : user
pid=2835 uid=root auid=unset ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
{ write } for request=X11:PolyRectangle comm=(null) resid=5d
restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511
tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
tclass=x_drawable : exe=/usr/bin/Xorg (sauid=root  hostname=?, addr=?,
terminal=?)' 
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com