Hello steve,
The value of "acct=" which is not in double quotation, cannot be right gotten.
The log is:
type=USER_CHAUTHTOK msg=audit(1167580800.033:178653): user pid=23192 uid=0
auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user
acct=aulog exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/6
res=success)'
Signed-off-by: Peng Haitao <[EMAIL PROTECTED]>
---
src/ausearch-parse.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d9c305a..b80b984 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -791,13 +791,12 @@ static int parse_user(const lnode *n, search_items *s)
*term = saved;
} else {
/* Handle legacy accts */
- char *end = term;
+ char *end = ptr;
int legacy = 0;
while (*end != ' ') {
if (!isxdigit(*end)) {
legacy = 1;
- break;
}
end++;
}
--
1.5.3
--
Regards
Peng Haitao
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
