diff -urp audit-2.3.5.orig/docs/ausearch.8 audit-2.3.5/docs/ausearch.8
--- audit-2.3.5.orig/docs/ausearch.8 2014-03-10 13:31:14.000000000 -0400
+++ audit-2.3.5/docs/ausearch.8 2014-03-11 10:51:13.385867279 -0400
@@ -21,6 +21,9 @@ Search for an event based on the given \
.BR \-c ,\ \-\-comm \ \fIcomm-name\fP
Search for an event based on the given \fIcomm name\fP. The comm name is the executable's name from the task structure.
.TP
+.BR \-\-debug
+Write malformed events that are skipped to stderr.
+.TP
.BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP
Search for an event based on the given syscall \fIexit code or errno\fP.
.TP
diff -urp audit-2.3.5.orig/src/aureport-options.c audit-2.3.5/src/aureport-options.c
--- audit-2.3.5.orig/src/aureport-options.c 2014-03-10 13:31:14.000000000 -0400
+++ audit-2.3.5/src/aureport-options.c 2014-03-11 10:41:08.604806542 -0400
@@ -56,6 +56,7 @@ const char *event_uuid = NULL;
const char *event_vmname = NULL;
int event_exit = 0, event_exit_is_set = 0;
int event_ppid = -1, event_session_id = -2;
+int event_debug = 0;
/* These are used by aureport */
const char *dummy = "dummy";
diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c
--- audit-2.3.5.orig/src/ausearch-options.c 2014-03-10 13:31:14.000000000 -0400
+++ audit-2.3.5/src/ausearch-options.c 2014-03-11 10:26:49.577720272 -0400
@@ -55,6 +55,7 @@ int just_one = 0;
int event_session_id = -2;
int event_exit = 0, event_exit_is_set = 0;
int line_buffered = 0;
+int event_debug = 0;
const char *event_key = NULL;
const char *event_filename = NULL;
const char *event_exe = NULL;
@@ -81,13 +82,14 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG
S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED, S_UUID, S_VMNAME};
+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG };
static struct nv_pair optiontab[] = {
{ S_EVENT, "-a" },
{ S_EVENT, "--event" },
{ S_COMM, "-c" },
{ S_COMM, "--comm" },
+ { S_DEBUG, "--debug" },
{ S_EXIT, "-e" },
{ S_EXIT, "--exit" },
{ S_FILENAME, "-f" },
@@ -176,6 +178,7 @@ static void usage(void)
printf("usage: ausearch [options]\n"
"\t-a,--event <Audit event id>\tsearch based on audit event id\n"
"\t-c,--comm <Comm name>\t\tsearch based on command line name\n"
+ "\t --debug\t\t\tWrite malformed events that are skipped to stderr\n"
"\t-e,--exit <Exit code or errno>\tsearch based on syscall exit code\n"
"\t-f,--file <File name>\t\tsearch based on file name\n"
"\t-ga,--gid-all <all Group id>\tsearch based on All group ids\n"
@@ -1099,6 +1102,9 @@ int check_params(int count, char *vars[]
case S_LINEBUFFERED:
line_buffered = 1;
break;
+ case S_DEBUG:
+ event_debug = 1;
+ break;
default:
fprintf(stderr, "%s is an unsupported option\n",
vars[c]);
diff -urp audit-2.3.5.orig/src/ausearch-options.h audit-2.3.5/src/ausearch-options.h
--- audit-2.3.5.orig/src/ausearch-options.h 2014-03-10 13:31:14.000000000 -0400
+++ audit-2.3.5/src/ausearch-options.h 2014-03-11 10:07:12.631602075 -0400
@@ -36,6 +36,7 @@ extern const char *event_object;
extern int event_se;
extern int just_one;
extern int line_buffered;
+extern int event_debug;
extern pid_t event_ppid;
extern int event_session_id;
extern ilist *event_type;
diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c
--- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-10 13:31:14.000000000 -0400
+++ audit-2.3.5/src/ausearch-parse.c 2014-03-11 10:31:00.205745442 -0400
@@ -168,11 +168,17 @@ int extract_search_items(llist *l)
ret = parse_tty(n, s);
break;
default:
- // printf("unparsed type:%d\n", n->type);
+ if (event_debug)
+ fprintf(stderr,
+ "Unparsed type:%d\n - skipped",
+ n->type);
break;
}
- // if (ret) printf("type:%d ret:%d\n", n->type, ret);
- } while ((n=list_next(l)) && ret==0);
+ if (event_debug && ret)
+ fprintf(stderr,
+ "Malformed event skipped, rc=%d. %s\n",
+ ret, n->message);
+ } while ((n=list_next(l)) && ret == 0);
}
return ret;
}