Re: audit plugin for AVC and USER_AVC messages
On Thursday, August 15, 2024 4:27:34 PM EDT nupurdeora(a)gmail.com wrote:
I 'll use auparse_reset() but from the description it's not
clear if it
will reset the curson to the beginning to the current record ?
https://github.com/linux-audit/audit-userspace/blob/4e6deae41d4646d28bb3ba
9524a8a227a38ccd0b/docs/auparse_reset.3#L11
What you want to use is auparse_first_record. This puts the internal cursor on
the first field of the first record in the current event.
-Steve
150 static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154 const char *perm;
155 while (auparse_goto_record_num(au, num) > 0) {
156 type = auparse_get_type(au);
157
158 switch (type) {
159 case AUDIT_AVC:
160 case AUDIT_USER_AVC:
161 perm = auparse_find_field(au, "permissive");
162 auparse_reset(au);
163 if (perm) {
164 if (*perm == '0') {
165 dump_avc_critical_record(au);
166 }
167 else if (*perm == '1') {
168 dump_avc_info_record(au);
169 }
170 }
171 else {
172 dump_avc_info_record(au);
173 }
174 break;
175 default:
176 dump_whole_record(au);
177 break;
178 }
179 num ++;
180 }
181 }
_______________________________________________
Linux-audit mailing list -- linux-audit(a)lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-leave(a)lists.linux-audit.osci.io