ausearch question
Burn Alting
burn at swtf.dyndns.org
Mon Apr 7 06:29:34 UTC 2014
All,
I note when interpreting raw audit with the ausearch --interpret option,
the code in src/ausearch-report.c:output_interpreted_node(), when
parsing key value pairs which are not enclosed in double or single
quotes, looks for embedded comma's in the value part and, if found,
effectively terminates the value at the comma. This in effect, makes the
data after the comma the start of the next key (if any). There are some
exceptions in the code (audit_type == AUDIT_VIRT_MACHINE_ID,
AUDIT_OBJ_PID, AUDIT_PATH and AUDIT_IPC).
What sort of input is this addressing?
Are there examples?
Thanks in advance
Burn
More information about the Linux-audit
mailing list