auparse, stdin, and AUPARSE_CB_EVENT_READY
Steve Grubb
sgrubb at redhat.com
Wed Mar 7 17:19:02 UTC 2012
On Wednesday, March 07, 2012 11:50:26 AM Guillaume Destuynder wrote:
> Below patch "fixes" it. The problem is that if you have a node name
> included in the message, and that it's a long hostname, it's just not
> copying a long enough string, and it will fail to parse the message
> serial. When the serial is incorrect, auparse will fail to group them
> and notify with AUPARSE_CB_EVENT_READY as a consequence.
>
> Now, I write this "fixes" it because if you have a really, really long
> hostname, it will fail in the same manner.
Yes. It looks like we support names up to 255 bytes. So, the "fix" needs more to
it. This also affects ausearch/report as well. Since this points directly to the
problem, the real fix should be straight forward.
> Or just do away with strtok and avoid duping strings.
Sure, that's the long term plan.
-Steve
More information about the Linux-audit
mailing list