Hello Steve,
Execute command "aureport -au", the output is imperfection.
For example:
[EMAIL PROTECTED] ~]# aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 07/22/2008 09:24:39 acct="aulltest rhel5.2ga ssh /usr/sbin/sshd yes 5208350
The reports have a column label at the top to help with interpretation of the
various fields,
So 'acct="aulltest' should be modified to 'aulltest' in the line 1.
Signed-off-by: Peng Haitao <[EMAIL PROTECTED]>
---
src/ausearch-parse.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 5fdf8c7..141fdee 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -786,7 +786,8 @@ static int parse_user(const lnode *n, search_items *s)
term++;
saved = *term;
*term = 0;
- s->acct = strdup(str);
+ ptr++;
+ s->acct = strdup(ptr);
*term = saved;
} else {
/* Handle legacy accts */
@@ -802,11 +803,11 @@ static int parse_user(const lnode *n, search_items *s)
}
term = end;
if (!legacy)
- s->acct = unescape(str);
+ s->acct = unescape(ptr);
else {
saved = *term;
*term = 0;
- s->acct = strdup(str);
+ s->acct = strdup(ptr);
*term = saved;
}
}
--
Regards
Peng Haitao
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
