From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: Re: Refactoring src/ausearch-report.c:output_interpreted_node()
Date: Thu, 02 Oct 2014 07:52:47 +1000
Message-ID: <1412200367.30162.43.camel@swtf.swtf.dyndns.org>
References: <1411958483.2752.33.camel@swtf.swtf.dyndns.org>
	<74328756.3cWZp6NFET@x2>
	<1412197693.30162.9.camel@swtf.swtf.dyndns.org>
	<1528037.iuGHCJfh4q@x2>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1528037.iuGHCJfh4q@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 2014-10-01 at 17:19 -0400, Steve Grubb wrote:
> On Thursday, October 02, 2014 07:08:13 AM Burn Alting wrote:
> > On Wed, 2014-10-01 at 14:54 -0400, Steve Grubb wrote:
> > > > I am uncertain what effect of accepting this additional format would
> > > > have when adding rules to the running audit system - i.e.
> > > > audit_name_to_msg_type() is called by autrace/auditctl when parsing
> > > > rules (ie the msgtype field name).
> > > 
> > > I think ausearch-report.c might be the place that needs updating.
> > 
> > So, could we modify output_interpreted_node() to no longer re-parse the
> >    [node=<node>] type=<type> msg=audit(<epochsecs>.<msecs>:<serial>)
> > header and pass both the lnode and llist->e which has this data already
> > as the code
> >           if (num == -1) {
> >               // see if we are older and wiser now.
> >               bptr = strchr(str, '[');
> >               if (bptr && bptr < ptr) {
> >                   char *eptr;
> >                   bptr++;
> >                   eptr = strchr(bptr, ']');
> >                   if (eptr) {
> >                        *eptr = 0;
> >                        errno = 0;
> >                        num = strtoul(bptr, NULL, 10);
> >                        *eptr = ']';
> >                        if (errno)
> >                            num = -1;
> >                   }
> >                }
> >          }
> > which parses for
> >     type=.*[n].*
> > is no longer needed as we don't have that format any more?
> 
> That is a very loose check for UNKNOWN[####]. If you see a performance 
> improvement by refactoring this function, please send a patch. The output 
> needs to be identical to the old way.
> 
> Thanks,
> -Steve

I can provide a patch to refactor this part of the code, but I want to
confirm there is no longer a need to parse for

  type=some_text '[' integer_type ']' some_other_text

given my refactoring will rely upon the parsing already done by
lib/lookup_table.c:audit_name_to_msg_type(). Remember this routine only
parses for
Given
        type=<type_value> 
then
        <type_value>
is parsed for
        - a known string 
        - a long integer number, n, found in the specific string
                "UNKNOWN[n]"
        - a long integer number, n, found in the specific string
                "n"


Rgds