Re: [graphics 06448] [PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Cc: audit-list <linux-audit@redhat.com>
Subject: Re: [graphics 06448] [PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs
Date: Wed, 30 Jul 2008 09:33:13 +0800	[thread overview]
Message-ID: <488FC4D9.5030804@cn.fujitsu.com> (raw)
In-Reply-To: <488EADA7.4010209@cn.fujitsu.com>

Hello Steve, 

> echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1'

Why the message which type is "CONFIG_CHANGE" contains "key" field? 
The "CONFIG_CHANGE" audit message should only describe the audit object status.

You can get the audit message by following steps:
1. # touch test1
2. # auditctl -w `pwd`/test1 -k haha
3. # mv test1 test2

I think we'd better not output "key" field in "CONFIG_CHANGE" message.
What's your opinion? If you agree with me, I'll make a patch for kernel. 

Peng Haitao said the following on 2008-07-29 13:41:
> Hello Steve, 
> 
> Use option '-k key-string' cannot search out the log which contains the given key-string and message type is CONFIG_CHANGE.
> 
> For example:
> echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1' | ausearch -k haha
> The output is: <no matches>
> 
> Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
> ---
>  src/ausearch-parse.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++--
>  1 files changed, 52 insertions(+), 3 deletions(-)
> 
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 0c38be1..fd00013 100755
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  	errno = 0;
>  	s->loginuid = strtoul(ptr, NULL, 10);
>  	if (errno)
> -		return 2;
> +		return 1;
>  	if (term)
>  		*term = ' ';
>  	else
> @@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  				else	// Set it back to something sane
>  					term = str;
>  			} else
> -				return 3;
> +				return 2;
> +		}
> +	}
> +
> +	if (event_key) {
> +		str = strstr(term, "key=");
> +		if (str != NULL) {
> +			if (!s->key) {
> +				//create
> +				s->key = malloc(sizeof(slist));
> +				if (s->key == NULL)
> +					return 3;
> +				slist_create(s->key);
> +			}
> +			ptr = str + 4;
> +			if (*ptr == '"') {
> +				ptr++;
> +				term = strchr(ptr, '"');
> +				if (term != NULL) {
> +					*term = 0;
> +					if (s->key) {
> +						// append
> +						snode sn;
> +						sn.str = strdup(ptr);
> +						sn.key = NULL;
> +						sn.hits = 1;
> +						slist_append(s->key, &sn);
> +					}
> +					*term = '"';
> +				} else
> +					return 4;
> +			} else {
> +				if (s->key) {
> +					char *saved=NULL;
> +					char *keyptr = unescape(ptr);
> +					char *kptr = strtok_r(keyptr,
> +						key_sep, &saved);
> +					while (kptr) {
> +						snode sn;
> +						// append
> +						sn.str = strdup(kptr);
> +						sn.key = NULL;
> +						sn.hits = 1;
> +						slist_append(s->key, &sn);
> +						kptr = strtok_r(NULL,
> +							key_sep, &saved);
> +					}
> +					free(keyptr);
> +				}
> +			}
>  		}
>  	}
>  
> @@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
>  		errno = 0;
>  		s->success = strtoul(ptr, NULL, 10);
>  		if (errno)
> -			return 4;
> +			return 5;
>  		if (term)
>  			*term = ' ';
>  	}

next prev parent reply	other threads:[~2008-07-30  1:33 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-07-29  5:41 [PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs Peng Haitao
2008-07-29 21:22 ` Steve Grubb
2008-07-30  1:33 ` zhangxiliang [this message]
2008-07-30 11:06   ` [graphics 06448] " Steve Grubb
2008-07-31  9:16     ` zhangxiliang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=488FC4D9.5030804@cn.fujitsu.com \
    --to=zhangxiliang@cn.fujitsu.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox