[PATCH 2/2] fix a bug that use option '-k key-string' cannot search out all matched logs

Mon, 28 Jul 2008 22:43:04 -0700 

Hello Steve, 

Use option '-k key-string' cannot search out the log which contains the given 
key-string and message type is CONFIG_CHANGE.

For example:
echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182): auid=0 
subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha" list=4 
res=1' | ausearch -k haha
The output is: <no matches>

Signed-off-by: Peng Haitao <[EMAIL PROTECTED]>
---
 src/ausearch-parse.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 0c38be1..fd00013 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n, 
search_items *s)
        errno = 0;
        s->loginuid = strtoul(ptr, NULL, 10);
        if (errno)
-               return 2;
+               return 1;
        if (term)
                *term = ' ';
        else
@@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n, 
search_items *s)
                                else    // Set it back to something sane
                                        term = str;
                        } else
-                               return 3;
+                               return 2;
+               }
+       }
+
+       if (event_key) {
+               str = strstr(term, "key=");
+               if (str != NULL) {
+                       if (!s->key) {
+                               //create
+                               s->key = malloc(sizeof(slist));
+                               if (s->key == NULL)
+                                       return 3;
+                               slist_create(s->key);
+                       }
+                       ptr = str + 4;
+                       if (*ptr == '"') {
+                               ptr++;
+                               term = strchr(ptr, '"');
+                               if (term != NULL) {
+                                       *term = 0;
+                                       if (s->key) {
+                                               // append
+                                               snode sn;
+                                               sn.str = strdup(ptr);
+                                               sn.key = NULL;
+                                               sn.hits = 1;
+                                               slist_append(s->key, &sn);
+                                       }
+                                       *term = '"';
+                               } else
+                                       return 4;
+                       } else {
+                               if (s->key) {
+                                       char *saved=NULL;
+                                       char *keyptr = unescape(ptr);
+                                       char *kptr = strtok_r(keyptr,
+                                               key_sep, &saved);
+                                       while (kptr) {
+                                               snode sn;
+                                               // append
+                                               sn.str = strdup(kptr);
+                                               sn.key = NULL;
+                                               sn.hits = 1;
+                                               slist_append(s->key, &sn);
+                                               kptr = strtok_r(NULL,
+                                                       key_sep, &saved);
+                                       }
+                                       free(keyptr);
+                               }
+                       }
                }
        }
 
@@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n, 
search_items *s)
                errno = 0;
                s->success = strtoul(ptr, NULL, 10);
                if (errno)
-                       return 4;
+                       return 5;
                if (term)
                        *term = ' ';
        }
-- 
1.5.4.2


-- 
Regards
Peng Haitao

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to