On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote:
> When audit.log is opened with cat or less, for example, with log format
> = ENRICHED, there's no space between data and the enriched part, only
> AUDIT_INTERP_SEPARATOR (0x1d):
This is by design.
> type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo"
> AUID="unset" ^ (0x1d)
>
> sep_done should be checked if it's 1 as well, so a space is added before
> the first enriched field.
Why?
Thanks,
-Steve
> Signed-off-by: Enzo Matsumiya <ematsum...@suse.de>
> ---
> src/auditd-event.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/auditd-event.c b/src/auditd-event.c
> index 788c44a08197..636553187279 100644
> --- a/src/auditd-event.c
> +++ b/src/auditd-event.c
> @@ -365,7 +365,7 @@ static int add_simple_field(auparse_state_t *au, size_t
> len_left, int encode)
>
> // Setup pointer
> ptr = &format_buf[FORMAT_BUF_LEN - len_left];
> - if (sep_done > 1) {
> + if (sep_done >= 1) {
> *ptr = ' ';
> ptr++;
> num = 1;
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
