Hi again,
For what it's worth, I dug through the code a bit, and am pretty sure that this
particular issue exists in lines 71-78 of ellist.c:
ptr = strtok_r(buf, " ", &saved);
if (ptr == NULL)
return -1;
do { // If there's an '=' sign, its a keeper
nvnode n;
char *val = strchr(ptr, '=');
if (val) {
Basically, it's splitting the string at " " and discarding anything that
doesn't contain '=', which is what is resulting in anything after the initial
space in a field being discarded. Splitting at '\s\w+=' (pardon my regexp)
instead would allow for the desired results, unless I'm mistaken, but would
require some significant recoding of that function (beyond my capacity as a C
programmer without much fail and gnashing of teeth). I hope this is helpful!
Best regards,
Jonathan Kelly
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
