From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Refactoring src/ausearch-report.c:output_interpreted_node()
Date: Wed, 01 Oct 2014 14:54:12 -0400
Message-ID: <74328756.3cWZp6NFET@x2>
References: <1411958483.2752.33.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1411958483.2752.33.camel@swtf.swtf.dyndns.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, burn@swtf.dyndns.org
List-Id: linux-audit@redhat.com

On Monday, September 29, 2014 12:41:23 PM Burn Alting wrote:
> In lib/lookup_table.c:audit_name_to_msg_type(), the event type value is
> parsed and converted to an integer as per,
> 
> Given
>         type=<type_value>
> then
>         <type_value>
> is parsed for
>         - a known string
>         - a long integer number, n, found in the specific string
> 		"UNKNOWN[n]"
>         - a long integer number, n, found in the specific string
> 		"n"
> 
> In src/ausearch-report.c:output_interpreted_node() it additionally
> parses for a <type_value> of
>         - a long integer number, n, found in the string "[^\[]*[n].*"
> i.e.
>         type=something[n]something_else

This is specifically a fixup for the UNKNOWN[####] case. There is no other value 
it can be. This originates here:

https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L1054


> Is there any reason against adding this additional parsing into
> lib/lookup_table.c:audit_name_to_msg_type()?

Additional parsing should not be needed.

 
> If we can, then output_interpreted_node() can be re-factored so we are
> not parsing the same data twice for every event.

It should be safe to remove the "old code". I don't think 
audit_name_to_msg_type() originally did the fixup. I think it was added when 
libauparse needed the same thing.


> I am uncertain what effect of accepting this additional format would
> have when adding rules to the running audit system - i.e.
> audit_name_to_msg_type() is called by autrace/auditctl when parsing
> rules (ie the msgtype field name).

I think ausearch-report.c might be the place that needs updating.

-Steve