diff -r -u audit-1.6.1.orig/auparse/auparse.c audit-1.6.1/auparse/auparse.c --- audit-1.6.1.orig/auparse/auparse.c 2007-09-06 10:19:41.000000000 -0400 +++ audit-1.6.1/auparse/auparse.c 2007-09-06 12:31:27.000000000 -0400 @@ -574,6 +574,7 @@ { char *ptr, *tmp; + e->host = NULL; // FIXME tmp = strndupa(b, 80); ptr = strtok(tmp, " "); if (ptr) { diff -r -u audit-1.6.1.orig/auparse/ellist.c audit-1.6.1/auparse/ellist.c --- audit-1.6.1.orig/auparse/ellist.c 2007-09-06 10:19:41.000000000 -0400 +++ audit-1.6.1/auparse/ellist.c 2007-09-06 10:21:14.000000000 -0400 @@ -35,6 +35,7 @@ l->e.milli = 0L; l->e.sec = 0L; l->e.serial = 0L; + l->e.host = NULL; } hidden_def(aup_list_create); @@ -258,6 +259,7 @@ l->e.milli = 0L; l->e.sec = 0L; l->e.serial = 0L; + l->e.host = NULL; } hidden_def(aup_list_clear); @@ -269,6 +271,7 @@ e->sec = l->e.sec; e->milli = l->e.milli; e->serial = l->e.serial; + e->host = l->e.host; return 1; } hidden_def(aup_list_get_event); @@ -281,6 +284,7 @@ l->e.sec = e->sec; l->e.milli = e->milli; l->e.serial = e->serial; + l->e.host = e->host; return 1; } hidden_def(aup_list_set_event); diff -r -u audit-1.6.1.orig/auparse/test/auparse_test.c audit-1.6.1/auparse/test/auparse_test.c --- audit-1.6.1.orig/auparse/test/auparse_test.c 2007-09-06 10:19:41.000000000 -0400 +++ audit-1.6.1/auparse/test/auparse_test.c 2007-09-06 10:21:14.000000000 -0400 @@ -42,7 +42,7 @@ printf("Error getting timestamp - aborting\n"); exit(1); } - printf(" event time: %u.%u:%lu\n", (unsigned)e->sec, e->milli, e->serial); + printf(" event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host); auparse_first_field(au); do { printf(" %s=%s (%s)\n", @@ -80,7 +80,7 @@ printf("Error getting timestamp - aborting\n"); exit(1); } - printf(" event time: %u.%u:%lu\n", (unsigned)e->sec, e->milli, e->serial); + printf(" event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host); printf("\n"); record_cnt++; } while(auparse_next_record(au) > 0); @@ -207,7 +207,7 @@ if (e == NULL) { return; } - printf(" event time: %u.%u:%lu\n", (unsigned)e->sec, e->milli, e->serial); + printf(" event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host); auparse_first_field(au); do { printf(" %s=%s (%s)\n", diff -r -u audit-1.6.1.orig/auparse/test/auparse_test.py audit-1.6.1/auparse/test/auparse_test.py --- audit-1.6.1.orig/auparse/test/auparse_test.py 2007-09-06 10:19:41.000000000 -0400 +++ audit-1.6.1/auparse/test/auparse_test.py 2007-09-06 11:57:52.000000000 -0400 @@ -10,12 +10,19 @@ import sys import time load_path = '../../bindings/python/build/lib.linux-i686-2.4' -if True: +if False: sys.path.insert(0, load_path) import auparse import audit +def none_to_null(s): + 'used so output matches C version' + if s is None: + return '(null)' + else: + return s + def walk_test(au): event_cnt = 1 @@ -39,7 +46,7 @@ print "Error getting timestamp - aborting" sys.exit(1) - print " event time: %d.%d:%d" % (event.sec, event.milli, event.serial) + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) au.first_field() while True: print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) @@ -71,7 +78,7 @@ print "Error getting timestamp - aborting" sys.exit(1) - print " event time: %d.%d:%d" % (event.sec, event.milli, event.serial) + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) print record_cnt += 1 if not au.next_record(): break @@ -131,7 +138,7 @@ print "Error getting timestamp - aborting" sys.exit(1) - print " event time: %d.%d:%d" % (event.sec, event.milli, event.serial) + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) au.first_field() while True: print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) diff -r -u audit-1.6.1.orig/auparse/test/auparse_test.ref audit-1.6.1/auparse/test/auparse_test.ref --- audit-1.6.1.orig/auparse/test/auparse_test.ref 2007-09-06 10:19:41.000000000 -0400 +++ audit-1.6.1/auparse/test/auparse_test.ref 2007-09-06 13:01:19.000000000 -0400 @@ -11,7 +11,7 @@ event 1 has 1 records record 1 of type 1006(LOGIN) has 5 fields line=1 file=None - event time: 1143146623.787:142 + event time: 1143146623.787:142, host=(null) type=LOGIN (LOGIN) pid=2027 (2027) uid=0 (root) @@ -21,7 +21,7 @@ event 2 has 1 records record 1 of type 1300(SYSCALL) has 24 fields line=2 file=None - event time: 1143146623.875:143 + event time: 1143146623.875:143, host=(null) type=SYSCALL (SYSCALL) arch=c000003e (x86_64) syscall=188 (setxattr) @@ -50,7 +50,7 @@ event 3 has 1 records record 1 of type 1112(USER_LOGIN) has 10 fields line=3 file=None - event time: 1143146623.879:146 + event time: 1143146623.879:146, host=(null) type=USER_LOGIN (USER_LOGIN) pid=2027 (2027) uid=0 (root) @@ -68,7 +68,7 @@ event has 1 records record 1 of type 1112(USER_LOGIN) has 10 fields line=1 file=None - event time: 1143146623.879:146 + event time: 1143146623.879:146, host=(null) Test 3 Done @@ -76,7 +76,7 @@ event 1 has 4 records record 1 of type 1400(AVC) has 11 fields line=1 file=./test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=AVC (AVC) seresult=denied (denied) seperms=read,write (read,write) @@ -91,7 +91,7 @@ record 2 of type 1300(SYSCALL) has 26 fields line=2 file=./test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=SYSCALL (SYSCALL) arch=c000003e (x86_64) syscall=2 (open) @@ -121,13 +121,13 @@ record 3 of type 1307(CWD) has 2 fields line=3 file=./test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=CWD (CWD) cwd="/var/spool/postfix" (/var/spool/postfix) record 4 of type 1302(PATH) has 10 fields line=4 file=./test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=PATH (PATH) item=0 (0) name="maildrop" (maildrop) @@ -142,7 +142,7 @@ event 2 has 1 records record 1 of type 1101(USER_ACCT) has 11 fields line=5 file=./test.log - event time: 1170021601.340:294 + event time: 1170021601.340:294, host=(null) type=USER_ACCT (USER_ACCT) pid=13015 (13015) uid=0 (root) @@ -158,7 +158,7 @@ event 3 has 1 records record 1 of type 1103(CRED_ACQ) has 11 fields line=6 file=./test.log - event time: 1170021601.342:295 + event time: 1170021601.342:295, host=(null) type=CRED_ACQ (CRED_ACQ) pid=13015 (13015) uid=0 (root) @@ -174,7 +174,7 @@ event 4 has 1 records record 1 of type 1006(LOGIN) has 5 fields line=7 file=./test.log - event time: 1170021601.343:296 + event time: 1170021601.343:296, host=(null) type=LOGIN (LOGIN) pid=13015 (13015) uid=0 (root) @@ -184,7 +184,7 @@ event 5 has 1 records record 1 of type 1105(USER_START) has 11 fields line=8 file=./test.log - event time: 1170021601.344:297 + event time: 1170021601.344:297, host=(null) type=USER_START (USER_START) pid=13015 (13015) uid=0 (root) @@ -200,7 +200,7 @@ event 6 has 1 records record 1 of type 1104(CRED_DISP) has 11 fields line=9 file=./test.log - event time: 1170021601.364:298 + event time: 1170021601.364:298, host=(null) type=CRED_DISP (CRED_DISP) pid=13015 (13015) uid=0 (root) @@ -216,7 +216,7 @@ event 7 has 1 records record 1 of type 1106(USER_END) has 11 fields line=10 file=./test.log - event time: 1170021601.366:299 + event time: 1170021601.366:299, host=(null) type=USER_END (USER_END) pid=13015 (13015) uid=0 (root) @@ -235,7 +235,7 @@ event 1 has 4 records record 1 of type 1400(AVC) has 11 fields line=1 file=test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=AVC (AVC) seresult=denied (denied) seperms=read,write (read,write) @@ -250,7 +250,7 @@ record 2 of type 1300(SYSCALL) has 26 fields line=2 file=test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=SYSCALL (SYSCALL) arch=c000003e (x86_64) syscall=2 (open) @@ -280,13 +280,13 @@ record 3 of type 1307(CWD) has 2 fields line=3 file=test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=CWD (CWD) cwd="/var/spool/postfix" (/var/spool/postfix) record 4 of type 1302(PATH) has 10 fields line=4 file=test.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=PATH (PATH) item=0 (0) name="maildrop" (maildrop) @@ -301,7 +301,7 @@ event 2 has 1 records record 1 of type 1101(USER_ACCT) has 11 fields line=5 file=test.log - event time: 1170021601.340:294 + event time: 1170021601.340:294, host=(null) type=USER_ACCT (USER_ACCT) pid=13015 (13015) uid=0 (root) @@ -317,7 +317,7 @@ event 3 has 1 records record 1 of type 1103(CRED_ACQ) has 11 fields line=6 file=test.log - event time: 1170021601.342:295 + event time: 1170021601.342:295, host=(null) type=CRED_ACQ (CRED_ACQ) pid=13015 (13015) uid=0 (root) @@ -333,7 +333,7 @@ event 4 has 1 records record 1 of type 1006(LOGIN) has 5 fields line=7 file=test.log - event time: 1170021601.343:296 + event time: 1170021601.343:296, host=(null) type=LOGIN (LOGIN) pid=13015 (13015) uid=0 (root) @@ -343,7 +343,7 @@ event 5 has 1 records record 1 of type 1105(USER_START) has 11 fields line=8 file=test.log - event time: 1170021601.344:297 + event time: 1170021601.344:297, host=(null) type=USER_START (USER_START) pid=13015 (13015) uid=0 (root) @@ -359,7 +359,7 @@ event 6 has 1 records record 1 of type 1104(CRED_DISP) has 11 fields line=9 file=test.log - event time: 1170021601.364:298 + event time: 1170021601.364:298, host=(null) type=CRED_DISP (CRED_DISP) pid=13015 (13015) uid=0 (root) @@ -375,7 +375,7 @@ event 7 has 1 records record 1 of type 1106(USER_END) has 11 fields line=10 file=test.log - event time: 1170021601.366:299 + event time: 1170021601.366:299, host=(null) type=USER_END (USER_END) pid=13015 (13015) uid=0 (root) @@ -391,7 +391,7 @@ event 8 has 4 records record 1 of type 1400(AVC) has 11 fields line=1 file=test2.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=AVC (AVC) seresult=denied (denied) seperms=read (read) @@ -406,7 +406,7 @@ record 2 of type 1300(SYSCALL) has 26 fields line=2 file=test2.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=SYSCALL (SYSCALL) arch=c000003e (x86_64) syscall=2 (open) @@ -436,13 +436,13 @@ record 3 of type 1307(CWD) has 2 fields line=3 file=test2.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=CWD (CWD) cwd="/var/spool/postfix" (/var/spool/postfix) record 4 of type 1302(PATH) has 10 fields line=4 file=test2.log - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=PATH (PATH) item=0 (0) name="maildrop" (maildrop) @@ -457,7 +457,7 @@ event 9 has 1 records record 1 of type 1101(USER_ACCT) has 11 fields line=5 file=test2.log - event time: 1170021601.340:294 + event time: 1170021601.340:294, host=(null) type=USER_ACCT (USER_ACCT) pid=13015 (13015) uid=0 (root) @@ -473,7 +473,7 @@ event 10 has 1 records record 1 of type 1103(CRED_ACQ) has 11 fields line=6 file=test2.log - event time: 1170021601.342:295 + event time: 1170021601.342:295, host=(null) type=CRED_ACQ (CRED_ACQ) pid=13015 (13015) uid=0 (root) @@ -489,7 +489,7 @@ event 11 has 1 records record 1 of type 1006(LOGIN) has 5 fields line=7 file=test2.log - event time: 1170021601.343:296 + event time: 1170021601.343:296, host=(null) type=LOGIN (LOGIN) pid=13015 (13015) uid=0 (root) @@ -499,7 +499,7 @@ event 12 has 1 records record 1 of type 1105(USER_START) has 11 fields line=8 file=test2.log - event time: 1170021601.344:297 + event time: 1170021601.344:297, host=(null) type=USER_START (USER_START) pid=13015 (13015) uid=0 (root) @@ -515,7 +515,7 @@ event 13 has 1 records record 1 of type 1104(CRED_DISP) has 11 fields line=9 file=test2.log - event time: 1170021601.364:298 + event time: 1170021601.364:298, host=(null) type=CRED_DISP (CRED_DISP) pid=13015 (13015) uid=0 (root) @@ -531,7 +531,7 @@ event 14 has 1 records record 1 of type 1106(USER_END) has 11 fields line=10 file=test2.log - event time: 1170021601.366:299 + event time: 1170021601.366:299, host=(null) type=USER_END (USER_END) pid=13015 (13015) uid=0 (root) @@ -572,7 +572,7 @@ event 1 has 1 records record 1 of type 1006(LOGIN) has 5 fields line=1 file=None - event time: 1143146623.787:142 + event time: 1143146623.787:142, host=(null) type=LOGIN (LOGIN) pid=2027 (2027) uid=0 (root) @@ -582,7 +582,7 @@ event 2 has 1 records record 1 of type 1300(SYSCALL) has 24 fields line=2 file=None - event time: 1143146623.875:143 + event time: 1143146623.875:143, host=(null) type=SYSCALL (SYSCALL) arch=c000003e (x86_64) syscall=188 (setxattr) @@ -611,7 +611,7 @@ event 3 has 1 records record 1 of type 1112(USER_LOGIN) has 10 fields line=3 file=None - event time: 1143146623.879:146 + event time: 1143146623.879:146, host=(null) type=USER_LOGIN (USER_LOGIN) pid=2027 (2027) uid=0 (root) @@ -629,7 +629,7 @@ event 1 has 4 records record 1 of type 1400(AVC) has 11 fields line=1 file=None - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=AVC (AVC) seresult=denied (denied) seperms=read,write (read,write) @@ -644,7 +644,7 @@ record 2 of type 1300(SYSCALL) has 26 fields line=2 file=None - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=SYSCALL (SYSCALL) arch=c000003e (x86_64) syscall=2 (open) @@ -674,13 +674,13 @@ record 3 of type 1307(CWD) has 2 fields line=3 file=None - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=CWD (CWD) cwd="/var/spool/postfix" (/var/spool/postfix) record 4 of type 1302(PATH) has 10 fields line=4 file=None - event time: 1170021493.977:293 + event time: 1170021493.977:293, host=(null) type=PATH (PATH) item=0 (0) name="maildrop" (maildrop) @@ -695,7 +695,7 @@ event 2 has 1 records record 1 of type 1101(USER_ACCT) has 11 fields line=5 file=None - event time: 1170021601.340:294 + event time: 1170021601.340:294, host=(null) type=USER_ACCT (USER_ACCT) pid=13015 (13015) uid=0 (root) @@ -711,7 +711,7 @@ event 3 has 1 records record 1 of type 1103(CRED_ACQ) has 11 fields line=6 file=None - event time: 1170021601.342:295 + event time: 1170021601.342:295, host=(null) type=CRED_ACQ (CRED_ACQ) pid=13015 (13015) uid=0 (root) @@ -727,7 +727,7 @@ event 4 has 1 records record 1 of type 1006(LOGIN) has 5 fields line=7 file=None - event time: 1170021601.343:296 + event time: 1170021601.343:296, host=(null) type=LOGIN (LOGIN) pid=13015 (13015) uid=0 (root) @@ -737,7 +737,7 @@ event 5 has 1 records record 1 of type 1105(USER_START) has 11 fields line=8 file=None - event time: 1170021601.344:297 + event time: 1170021601.344:297, host=(null) type=USER_START (USER_START) pid=13015 (13015) uid=0 (root) @@ -753,7 +753,7 @@ event 6 has 1 records record 1 of type 1104(CRED_DISP) has 11 fields line=9 file=None - event time: 1170021601.364:298 + event time: 1170021601.364:298, host=(null) type=CRED_DISP (CRED_DISP) pid=13015 (13015) uid=0 (root) @@ -769,7 +769,7 @@ event 7 has 1 records record 1 of type 1106(USER_END) has 11 fields line=10 file=None - event time: 1170021601.366:299 + event time: 1170021601.366:299, host=(null) type=USER_END (USER_END) pid=13015 (13015) uid=0 (root)