[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

[Peng Haitao]

Hello Steve, 

Executing command "echo 'type=CONFIG_CHANGE msg=audit(1214114026.152:1641): op=updated rules specifying path="/home/pht/source/sys_temp" with dev=4294967295 ino=4294967295  list=-672208416 res=1' | ausearch -r", the output is NULL.
The log is from /var/log/audit/audit.log and not modified.

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
---
 src/ausearch-parse.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 141fdee..0c38be1 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1403,7 +1403,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	// get loginuid
 	str = strstr(n->message, "auid=");
 	if (str == NULL)
-		return 1;
+		return 0;
 	ptr = str + 5;
 	term = strchr(ptr, ' ');
 	if (term)
-- 
1.5.4.2


-- 
Regards
Peng Haitao

Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

[Peng Haitao]

Hello Steve,

  The log which message type is CONFIG_CHANGE does not contain "auid=" and exists
in /var/log/audit/audit.log, This will be OK or the log loses "auid="?
  
  If you think this is OK, I will make a new patch.


Peng Haitao said the following on 2008-7-29 13:40:
> Hello Steve, 
> 
> Executing command "echo 'type=CONFIG_CHANGE msg=audit(1214114026.152:1641): op=updated rules specifying path="/home/pht/source/sys_temp" with dev=4294967295 ino=4294967295  list=-672208416 res=1' | ausearch -r", the output is NULL.
> The log is from /var/log/audit/audit.log and not modified.
> 
> Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
> ---
>  src/ausearch-parse.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 141fdee..0c38be1 100755
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -1403,7 +1403,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  	// get loginuid
>  	str = strstr(n->message, "auid=");
>  	if (str == NULL)
> -		return 1;
> +		return 0;
>  	ptr = str + 5;
>  	term = strchr(ptr, ' ');
>  	if (term)

-- 
Regards
Peng Haitao

Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

[Steve Grubb]

On Tuesday 29 July 2008 06:07:15 Peng Haitao wrote:
>   The log which message type is CONFIG_CHANGE does not contain "auid=" and
> exists in /var/log/audit/audit.log, This will be OK or the log loses
> "auid="?

All records must have auid. That is part of the requirements besides date, 
time, what happened, and what was the results. If that record is missing 
auid, we need to patch the kernel.

-Steve

Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

[Peng Haitao]

> All records must have auid. That is part of the requirements besides date, 
> time, what happened, and what was the results. 

When the watched file is deleted or renamed, the log will be made.
You can get the result by following steps:

1. # service auditd start
2. # touch temp_file
3. # auditctl -w `pwd`/temp_file -k temp_file
4. # rm -f temp_file

/var/log/audit/audit.log will contain:
node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101): op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295 ino=4294967295  list=0 res=1

> If that record is missing 
> auid, we need to patch the kernel.
> 
> -Steve
> 
> 

-- 
Regards
Peng Haitao
--------------------------------------------------
Peng Haitao
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
8/F., Civil Defense Building, No.189 Guangzhou Road,
Nanjing, 210029, China 
TEL: +86+25-86630566-837
FUJITSU INTERNAL: 79955-837
FAX: +86+25-83317685
EMail: penght@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited.  If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed

Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

[Steve Grubb]

On Tuesday 29 July 2008 21:06:45 Peng Haitao wrote:
> When the watched file is deleted or renamed, the log will be made.
> You can get the result by following steps:
>
> 1. # service auditd start
> 2. # touch temp_file
> 3. # auditctl -w `pwd`/temp_file -k temp_file
> 4. # rm -f temp_file
>
> /var/log/audit/audit.log will contain:
> node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101):
> op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295
> ino=4294967295  list=0 res=1

I am applying a patch that will allow parsing for missing auid fields in 
CONFIG_CHANGE records. I think that is the only loose end to tie up on this 
bug report.

-Steve