Hello Steve,
> echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182):
> auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha"
> list=4 res=1'
Why the message which type is "CONFIG_CHANGE" contains "key" field?
The "CONFIG_CHANGE" audit message should only describe the audit object status.
You can get the audit message by following steps:
1. # touch test1
2. # auditctl -w `pwd`/test1 -k haha
3. # mv test1 test2
I think we'd better not output "key" field in "CONFIG_CHANGE" message.
What's your opinion? If you agree with me, I'll make a patch for kernel.
Peng Haitao said the following on 2008-07-29 13:41:
> Hello Steve,
>
> Use option '-k key-string' cannot search out the log which contains the given
> key-string and message type is CONFIG_CHANGE.
>
> For example:
> echo 'node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217404709.683:23182):
> auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="haha"
> list=4 res=1' | ausearch -k haha
> The output is: <no matches>
>
> Signed-off-by: Peng Haitao <[EMAIL PROTECTED]>
> ---
> src/ausearch-parse.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++--
> 1 files changed, 52 insertions(+), 3 deletions(-)
>
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 0c38be1..fd00013 100755
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -1411,7 +1411,7 @@ static int parse_simple_message(const lnode *n,
> search_items *s)
> errno = 0;
> s->loginuid = strtoul(ptr, NULL, 10);
> if (errno)
> - return 2;
> + return 1;
> if (term)
> *term = ' ';
> else
> @@ -1437,7 +1437,56 @@ static int parse_simple_message(const lnode *n,
> search_items *s)
> else // Set it back to something sane
> term = str;
> } else
> - return 3;
> + return 2;
> + }
> + }
> +
> + if (event_key) {
> + str = strstr(term, "key=");
> + if (str != NULL) {
> + if (!s->key) {
> + //create
> + s->key = malloc(sizeof(slist));
> + if (s->key == NULL)
> + return 3;
> + slist_create(s->key);
> + }
> + ptr = str + 4;
> + if (*ptr == '"') {
> + ptr++;
> + term = strchr(ptr, '"');
> + if (term != NULL) {
> + *term = 0;
> + if (s->key) {
> + // append
> + snode sn;
> + sn.str = strdup(ptr);
> + sn.key = NULL;
> + sn.hits = 1;
> + slist_append(s->key, &sn);
> + }
> + *term = '"';
> + } else
> + return 4;
> + } else {
> + if (s->key) {
> + char *saved=NULL;
> + char *keyptr = unescape(ptr);
> + char *kptr = strtok_r(keyptr,
> + key_sep, &saved);
> + while (kptr) {
> + snode sn;
> + // append
> + sn.str = strdup(kptr);
> + sn.key = NULL;
> + sn.hits = 1;
> + slist_append(s->key, &sn);
> + kptr = strtok_r(NULL,
> + key_sep, &saved);
> + }
> + free(keyptr);
> + }
> + }
> }
> }
>
> @@ -1457,7 +1506,7 @@ static int parse_simple_message(const lnode *n,
> search_items *s)
> errno = 0;
> s->success = strtoul(ptr, NULL, 10);
> if (errno)
> - return 4;
> + return 5;
> if (term)
> *term = ' ';
> }
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
