diff -urp audit-2.3.5.orig/docs/ausearch.8 audit-2.3.5/docs/ausearch.8 --- audit-2.3.5.orig/docs/ausearch.8 2014-03-10 13:31:14.000000000 -0400 +++ audit-2.3.5/docs/ausearch.8 2014-03-11 10:51:13.385867279 -0400 @@ -21,6 +21,9 @@ Search for an event based on the given \ .BR \-c ,\ \-\-comm \ \fIcomm-name\fP Search for an event based on the given \fIcomm name\fP. The comm name is the executable's name from the task structure. .TP +.BR \-\-debug +Write malformed events that are skipped to stderr. +.TP .BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP Search for an event based on the given syscall \fIexit code or errno\fP. .TP diff -urp audit-2.3.5.orig/src/aureport-options.c audit-2.3.5/src/aureport-options.c --- audit-2.3.5.orig/src/aureport-options.c 2014-03-10 13:31:14.000000000 -0400 +++ audit-2.3.5/src/aureport-options.c 2014-03-11 10:41:08.604806542 -0400 @@ -56,6 +56,7 @@ const char *event_uuid = NULL; const char *event_vmname = NULL; int event_exit = 0, event_exit_is_set = 0; int event_ppid = -1, event_session_id = -2; +int event_debug = 0; /* These are used by aureport */ const char *dummy = "dummy"; diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c --- audit-2.3.5.orig/src/ausearch-options.c 2014-03-10 13:31:14.000000000 -0400 +++ audit-2.3.5/src/ausearch-options.c 2014-03-11 10:26:49.577720272 -0400 @@ -55,6 +55,7 @@ int just_one = 0; int event_session_id = -2; int event_exit = 0, event_exit_is_set = 0; int line_buffered = 0; +int event_debug = 0; const char *event_key = NULL; const char *event_filename = NULL; const char *event_exe = NULL; @@ -81,13 +82,14 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, -S_LINEBUFFERED, S_UUID, S_VMNAME}; +S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG }; static struct nv_pair optiontab[] = { { S_EVENT, "-a" }, { S_EVENT, "--event" }, { S_COMM, "-c" }, { S_COMM, "--comm" }, + { S_DEBUG, "--debug" }, { S_EXIT, "-e" }, { S_EXIT, "--exit" }, { S_FILENAME, "-f" }, @@ -176,6 +178,7 @@ static void usage(void) printf("usage: ausearch [options]\n" "\t-a,--event \tsearch based on audit event id\n" "\t-c,--comm \t\tsearch based on command line name\n" + "\t --debug\t\t\tWrite malformed events that are skipped to stderr\n" "\t-e,--exit \tsearch based on syscall exit code\n" "\t-f,--file \t\tsearch based on file name\n" "\t-ga,--gid-all \tsearch based on All group ids\n" @@ -1099,6 +1102,9 @@ int check_params(int count, char *vars[] case S_LINEBUFFERED: line_buffered = 1; break; + case S_DEBUG: + event_debug = 1; + break; default: fprintf(stderr, "%s is an unsupported option\n", vars[c]); diff -urp audit-2.3.5.orig/src/ausearch-options.h audit-2.3.5/src/ausearch-options.h --- audit-2.3.5.orig/src/ausearch-options.h 2014-03-10 13:31:14.000000000 -0400 +++ audit-2.3.5/src/ausearch-options.h 2014-03-11 10:07:12.631602075 -0400 @@ -36,6 +36,7 @@ extern const char *event_object; extern int event_se; extern int just_one; extern int line_buffered; +extern int event_debug; extern pid_t event_ppid; extern int event_session_id; extern ilist *event_type; diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c --- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-10 13:31:14.000000000 -0400 +++ audit-2.3.5/src/ausearch-parse.c 2014-03-11 10:31:00.205745442 -0400 @@ -168,11 +168,17 @@ int extract_search_items(llist *l) ret = parse_tty(n, s); break; default: - // printf("unparsed type:%d\n", n->type); + if (event_debug) + fprintf(stderr, + "Unparsed type:%d\n - skipped", + n->type); break; } - // if (ret) printf("type:%d ret:%d\n", n->type, ret); - } while ((n=list_next(l)) && ret==0); + if (event_debug && ret) + fprintf(stderr, + "Malformed event skipped, rc=%d. %s\n", + ret, n->message); + } while ((n=list_next(l)) && ret == 0); } return ret; }