On Thu, 2009-03-26 at 08:06 -0400, Miloslav Trmac wrote: > Hello, > ausearch -i and libauparse currently crash (access NULL) if a mode= field > contains an unknown file type. Such records are generated by the kernel for > IPC, e.g. > > node=jcdx156 type=IPC msg=audit(1237915952.720:2294): ouid=500 ogid=1106 > mode=0600 obj=siterep_u:siterep_r:siterep_t:s0-s15:c0.c1023 > > The attached patch: > * Modifies ausearch and libauparse to output the file format in octal if it > is unknown. > * Modifies libauparse to use the same interpreted field format as ausearch > (without a space in the middle). > * Modifies comma handling in libauparse to avoid a strcat() call. > > Mirek
Mirek, Thank you for this patch...wherever it may be. :) I really appreciate you fixing this! Do you have a standard auparse test you use to track these down? If so, does it use auparse_feed? Thanks again, LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
