On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote: > Auvirt adds quotes to the given VM name when creating the search criteria. > With the previous patch, this workaround is no longer needed and this > patch removes it.
What you are seeing here is actually a different problem. The description you have: using the example above the following rule will not match: ausearch_add_item(au, "vm", "=", "guest-name", how); But this rule will match: ausearch_add_item(au, "vm", "=", "\"guest-name\"", how); describes the following issue. If you look at the vm field type, it has this realtionship in typetab.h: _S(AUPARSE_TYPE_ESCAPED, "vm" Which means that if you are not getting a hit, the search algorithm might need fixing. If the searched field type is escaped, the algorithm should escape the field and then do the match. For example, what if you have a vm name of "test run". It will wind up being escaped and looking like hex encoded ascii. This is much worse than just adding quotes. So, I think the best solution is make this invisible to the outside world. The function call ausearch_add_item() should do a type lookup of the field and then escape the value if the returned type is AUPARSE_TYPE_ESCAPED. On output, your program probably wants to call auparse_get_field_type() and if its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
