Steve,
In lib/lookup_table.c:audit_name_to_msg_type(), the event type value is
parsed and converted to an integer as per,
Given
type=<type_value>
then
<type_value>
is parsed for
- a known string
- a long integer number, n, found in the specific string
"UNKNOWN[n]"
- a long integer number, n, found in the specific string
"n"
In src/ausearch-report.c:output_interpreted_node() it additionally
parses for a <type_value> of
- a long integer number, n, found in the string "[^\[]*[n].*"
i.e.
type=something[n]something_else
Is there any reason against adding this additional parsing into
lib/lookup_table.c:audit_name_to_msg_type()?
If we can, then output_interpreted_node() can be re-factored so we are
not parsing the same data twice for every event.
I am uncertain what effect of accepting this additional format would
have when adding rules to the running audit system - i.e.
audit_name_to_msg_type() is called by autrace/auditctl when parsing
rules (ie the msgtype field name).
Regards
Burn
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
