Hello,
audit_log_acct_message() is currently quoting acct differently from all
other users: it adds quotes to acct if it is represented in hexadecimal,
not when it is represented as-is.
The attached patch fixes it - but it also changes the format of some of
the most-often used messages. It might be better to leave the message
format alone, and add a special case to libauparse and other
applications that parse the logs - I have no idea.
Mirek
diff -up audit-1.6.7/lib/audit_logging.c.quotes audit-1.6.7/lib/audit_logging.c
--- audit-1.6.7/lib/audit_logging.c.quotes 2008-03-04 04:34:38.000000000 +0100
+++ audit-1.6.7/lib/audit_logging.c 2008-03-04 04:35:33.000000000 +0100
@@ -378,10 +378,10 @@ int audit_log_acct_message(int audit_fd,
}
if (enc)
format =
- "op=%s acct=\"%s\" exe=%s (hostname=%s, addr=%s, terminal=%s res=%s)";
+ "op=%s acct=%s exe=%s (hostname=%s, addr=%s, terminal=%s res=%s)";
else
format =
- "op=%s acct=%s exe=%s (hostname=%s, addr=%s, terminal=%s res=%s)";
+ "op=%s acct=\"%s\" exe=%s (hostname=%s, addr=%s, terminal=%s res=%s)";
snprintf(buf, sizeof(buf), format,
op, user, pgname,
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
