On Monday, September 29, 2014 12:41:23 PM Burn Alting wrote: > In lib/lookup_table.c:audit_name_to_msg_type(), the event type value is > parsed and converted to an integer as per, > > Given > type=<type_value> > then > <type_value> > is parsed for > - a known string > - a long integer number, n, found in the specific string > "UNKNOWN[n]" > - a long integer number, n, found in the specific string > "n" > > In src/ausearch-report.c:output_interpreted_node() it additionally > parses for a <type_value> of > - a long integer number, n, found in the string "[^\[]*[n].*" > i.e. > type=something[n]something_else
This is specifically a fixup for the UNKNOWN[####] case. There is no other value it can be. This originates here: https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L1054 > Is there any reason against adding this additional parsing into > lib/lookup_table.c:audit_name_to_msg_type()? Additional parsing should not be needed. > If we can, then output_interpreted_node() can be re-factored so we are > not parsing the same data twice for every event. It should be safe to remove the "old code". I don't think audit_name_to_msg_type() originally did the fixup. I think it was added when libauparse needed the same thing. > I am uncertain what effect of accepting this additional format would > have when adding rules to the running audit system - i.e. > audit_name_to_msg_type() is called by autrace/auditctl when parsing > rules (ie the msgtype field name). I think ausearch-report.c might be the place that needs updating. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
