From mboxrd@z Thu Jan 1 00:00:00 1970 From: zhangxiliang Subject: Re: [graphics 06448] [PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs Date: Wed, 30 Jul 2008 09:33:13 +0800 Message-ID: <488FC4D9.5030804@cn.fujitsu.com> References: <488EADA7.4010209@cn.fujitsu.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <488EADA7.4010209@cn.fujitsu.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com Cc: audit-list List-Id: linux-audit@redhat.com Hello Steve, > echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1' Why the message which type is "CONFIG_CHANGE" contains "key" field? The "CONFIG_CHANGE" audit message should only describe the audit object status. You can get the audit message by following steps: 1. # touch test1 2. # auditctl -w `pwd`/test1 -k haha 3. # mv test1 test2 I think we'd better not output "key" field in "CONFIG_CHANGE" message. What's your opinion? If you agree with me, I'll make a patch for kernel. Peng Haitao said the following on 2008-07-29 13:41: > Hello Steve, > > Use option '-k key-string' cannot search out the log which contains the given key-string and message type is CONFIG_CHANGE. > > For example: > echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 res=1' | ausearch -k haha > The output is: > > Signed-off-by: Peng Haitao > --- > src/ausearch-parse.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++-- > 1 files changed, 52 insertions(+), 3 deletions(-) > > diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c > index 0c38be1..fd00013 100755 > --- a/src/ausearch-parse.c > +++ b/src/ausearch-parse.c > @@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n, search_items *s) > errno = 0; > s->loginuid = strtoul(ptr, NULL, 10); > if (errno) > - return 2; > + return 1; > if (term) > *term = ' '; > else > @@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n, search_items *s) > else // Set it back to something sane > term = str; > } else > - return 3; > + return 2; > + } > + } > + > + if (event_key) { > + str = strstr(term, "key="); > + if (str != NULL) { > + if (!s->key) { > + //create > + s->key = malloc(sizeof(slist)); > + if (s->key == NULL) > + return 3; > + slist_create(s->key); > + } > + ptr = str + 4; > + if (*ptr == '"') { > + ptr++; > + term = strchr(ptr, '"'); > + if (term != NULL) { > + *term = 0; > + if (s->key) { > + // append > + snode sn; > + sn.str = strdup(ptr); > + sn.key = NULL; > + sn.hits = 1; > + slist_append(s->key, &sn); > + } > + *term = '"'; > + } else > + return 4; > + } else { > + if (s->key) { > + char *saved=NULL; > + char *keyptr = unescape(ptr); > + char *kptr = strtok_r(keyptr, > + key_sep, &saved); > + while (kptr) { > + snode sn; > + // append > + sn.str = strdup(kptr); > + sn.key = NULL; > + sn.hits = 1; > + slist_append(s->key, &sn); > + kptr = strtok_r(NULL, > + key_sep, &saved); > + } > + free(keyptr); > + } > + } > } > } > > @@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n, search_items *s) > errno = 0; > s->success = strtoul(ptr, NULL, 10); > if (errno) > - return 4; > + return 5; > if (term) > *term = ' '; > }