[PATCH] ausearch improvements
Miloslav Trmac
mitr at redhat.com
Sun Nov 18 10:44:32 UTC 2007
Hello,
the attached patch adds some functionality to ausearch. It consists of
two main parts:
ausearch_add_interpreted_item() behaves like ausearch_add_item(), but
the conditions are evaluated by comparing the interpreted field value,
not the raw value (e.g. ("uid", "=", "mitr") instead of ("uid", "=",
"500"). In principle, the application using ausearch could contain it's
own code to "un-interpret" field values, but I think it is cleaner when
the only place that maps raw and interpreted value is libauparse. The
current implementation simply interprets the value of each field before
performing the comparison; in the future, the implementation could be
changed to "un-interpret" the supplied value when creating the rule if
the current implementation turns out to be too slow.
ausearch_add_timestamp_item() allows placing conditions on event
timestamp.
In addition, the patch fixes checking whether the operator is unknown in
ausearch_add_item().
Mirek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-ausearch.patch
Type: text/x-patch
Size: 21481 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20071118/82f1cf4a/attachment.bin>
More information about the Linux-audit
mailing list