From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peng Haitao <penght@cn.fujitsu.com>
Subject: [PATCH 2/2] fix a bug that use option '-k key-string' cannot search
 out all matched logs
Date: Tue, 29 Jul 2008 13:41:59 +0800
Message-ID: <488EADA7.4010209@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: sgrubb@redhat.com
Cc: audit-list <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello Steve, 

Use option '-k key-string' cannot search out the log which contains the given key-string and message type is CONFIG_CHANGE.

For example:
echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1' | ausearch -k haha
The output is: <no matches>

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
---
 src/ausearch-parse.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 0c38be1..fd00013 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	errno = 0;
 	s->loginuid = strtoul(ptr, NULL, 10);
 	if (errno)
-		return 2;
+		return 1;
 	if (term)
 		*term = ' ';
 	else
@@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n, search_items *s)
 				else	// Set it back to something sane
 					term = str;
 			} else
-				return 3;
+				return 2;
+		}
+	}
+
+	if (event_key) {
+		str = strstr(term, "key=");
+		if (str != NULL) {
+			if (!s->key) {
+				//create
+				s->key = malloc(sizeof(slist));
+				if (s->key == NULL)
+					return 3;
+				slist_create(s->key);
+			}
+			ptr = str + 4;
+			if (*ptr == '"') {
+				ptr++;
+				term = strchr(ptr, '"');
+				if (term != NULL) {
+					*term = 0;
+					if (s->key) {
+						// append
+						snode sn;
+						sn.str = strdup(ptr);
+						sn.key = NULL;
+						sn.hits = 1;
+						slist_append(s->key, &sn);
+					}
+					*term = '"';
+				} else
+					return 4;
+			} else {
+				if (s->key) {
+					char *saved=NULL;
+					char *keyptr = unescape(ptr);
+					char *kptr = strtok_r(keyptr,
+						key_sep, &saved);
+					while (kptr) {
+						snode sn;
+						// append
+						sn.str = strdup(kptr);
+						sn.key = NULL;
+						sn.hits = 1;
+						slist_append(s->key, &sn);
+						kptr = strtok_r(NULL,
+							key_sep, &saved);
+					}
+					free(keyptr);
+				}
+			}
 		}
 	}
 
@@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 		errno = 0;
 		s->success = strtoul(ptr, NULL, 10);
 		if (errno)
-			return 4;
+			return 5;
 		if (term)
 			*term = ' ';
 	}
-- 
1.5.4.2


-- 
Regards
Peng Haitao