From 7cdcfd30c6122acc6b2e54e1ad8cd1a12dd537d2 Mon Sep 17 00:00:00 2001 From: Attila Lakatos Date: Mon, 21 Oct 2024 04:25:37 +0200 Subject: [PATCH] ausearch format: Fix display of renamed file (#411) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In some cases, ausearch was not correctly showing the new name of a renamed file when searching for audit events. If the target file didn’t exist prior to the rename, ausearch was unable to parse the new file name. This occurred because ausearch attempted to retrieve this information from the 7th record, which is absent when the target file does not exist. --- auparse/normalize.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/auparse/normalize.c b/auparse/normalize.c index 036c0b86..f1a07d18 100644 --- a/auparse/normalize.c +++ b/auparse/normalize.c @@ -693,7 +693,20 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall) case NORM_FILE_RENAME: act = "renamed"; D.thing.what = NORM_WHAT_FILE; // this gets overridden - set_prime_object2(au, "name", 4); + /* A sucessfull syscall from the rename family will provide + * the following items: + * 0 - new dir, in which the file will be located + * 1 - old dir, in which the file was located + * 2 - old name, the name of the original file + * if the file was already present in the new dir: + * 3 - removal of the new file + * 4 - creation of the new file + * otherwise: + * 3 - creation of the new file + */ + + // The 3rd record will always contain the name of the new file + set_prime_object2(au, "name", 3); set_file_object(au, 2); // Thing renamed is 2 after simple_file_attr(au); break; -- 2.33.0