From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: ausearch results differ with "-i" flag Date: Wed, 17 Mar 2010 13:03:16 -0400 Message-ID: <201003171303.16873.sgrubb@redhat.com> References: <1268777906.30348.202.camel@lcb> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1268777906.30348.202.camel@lcb> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 16 March 2010 06:18:26 pm LC Bruzenak wrote: > I am doing an ausearch and noticed that with the "-i" flag the "comm=" > field appears to lose the data. > The bad thing is that this appears inside the "msg=" string, and I feel > that it shouldn't be interpreting those values anyway. > > I saw that the audit-viewer does parse out the "comm=" field correctly > when I look at the same event. > > First the event without the "-i" flag: > ---- > time->Tue Mar 16 21:53:50 2010 > node=jcdx type=USER_AVC msg=audit(1268776430.236:6808): user pid=2835 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { write } for request=X11:PolyRectangle comm=MLTracks resid=5d > restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511 > tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > ---- comm's value should be in double-quotes unless it has special characters and then it should be hex encoded. The reason being is comm could have a white space in its name . -Steve