audit/backport-ausearch-format-Fix-display-of-renamed-file-411.patch

From 7cdcfd30c6122acc6b2e54e1ad8cd1a12dd537d2 Mon Sep 17 00:00:00 2001
From: Attila Lakatos <Cropi@users.noreply.github.com>
Date: Mon, 21 Oct 2024 04:25:37 +0200
Subject: [PATCH] ausearch format: Fix display of renamed file (#411)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
 
In some cases, ausearch was not correctly showing
the new name of a renamed file when searching for
audit events. If the target file didn’t exist prior
to the rename, ausearch was unable to parse the new
file name. This occurred because ausearch attempted
to retrieve this information from the 7th record,
which is absent when the target file does not exist.
---
 auparse/normalize.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 
diff --git a/auparse/normalize.c b/auparse/normalize.c
index 036c0b86..f1a07d18 100644
--- a/auparse/normalize.c
+++ b/auparse/normalize.c
@@ -693,7 +693,20 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 		case NORM_FILE_RENAME:
 			act = "renamed";
 			D.thing.what = NORM_WHAT_FILE; // this gets overridden
-			set_prime_object2(au, "name", 4);
+			/* A sucessfull syscall from the rename family will provide
+			 * the following items:
+			 *  0 - new dir, in which the file will be located
+			 *  1 - old dir, in which the file was located
+			 *  2 - old name, the name of the original file
+			 * 	if the file was already present in the new dir:
+			 *   3 - removal of the new file
+			 *   4 - creation of the new file
+			 *  otherwise:
+			 *  3 - creation of the new file
+			 */
+
+			// The 3rd record will always contain the name of the new file
+			set_prime_object2(au, "name", 3);
 			set_file_object(au, 2); // Thing renamed is 2 after
 			simple_file_attr(au);
 			break;
-- 
2.33.0