From 44ce4a6e7eab3009390c0fb2348f9f6d57182581 Mon Sep 17 00:00:00 2001 From: Hilko Bengen Date: Fri, 15 Mar 2024 15:50:58 +0100 Subject: [PATCH 1/2] Add failing test for correct node name encoding --- src/coalesce.rs | 4 ++++ src/testdata/record-execve.txt | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/coalesce.rs b/src/coalesce.rs index e495b16..8356198 100644 --- a/src/coalesce.rs +++ b/src/coalesce.rs @@ -1170,6 +1170,10 @@ mod test { !output.contains(r#""egid":0,"#), "output does not contain raw egid" ); + assert!( + output.contains(r#"NODE":"work","#), + "node name is encoded correctly." + ); Ok(()) } diff --git a/src/testdata/record-execve.txt b/src/testdata/record-execve.txt index 666e646..dd98b8d 100644 --- a/src/testdata/record-execve.txt +++ b/src/testdata/record-execve.txt @@ -1,7 +1,7 @@ -type=SYSCALL msg=audit(1615114232.375:15558): arch=c000003e syscall=59 success=yes exit=0 a0=63b29337fd18 a1=63b293387d58 a2=63b293375640 a3=fffffffffffff000 items=2 ppid=10883 pid=10884 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="whoami" exe="/usr/bin/whoami" key=(null)ARCH=x86_64 SYSCALL=execve AUID="user" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" -type=EXECVE msg=audit(1615114232.375:15558): argc=1 a0="whoami" -type=CWD msg=audit(1615114232.375:15558): cwd="/home/user/tmp" -type=PATH msg=audit(1615114232.375:15558): item=0 name="/usr/bin/whoami" inode=261214 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root" -type=PATH msg=audit(1615114232.375:15558): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=262146 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root" -type=PROCTITLE msg=audit(1615114232.375:15558): proctitle="whoami" -type=EOE msg=audit(1615114232.375:15558): +node=work type=SYSCALL msg=audit(1615114232.375:15558): arch=c000003e syscall=59 success=yes exit=0 a0=63b29337fd18 a1=63b293387d58 a2=63b293375640 a3=fffffffffffff000 items=2 ppid=10883 pid=10884 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="whoami" exe="/usr/bin/whoami" key=(null)ARCH=x86_64 SYSCALL=execve AUID="user" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" +node=work type=EXECVE msg=audit(1615114232.375:15558): argc=1 a0="whoami" +node=work type=CWD msg=audit(1615114232.375:15558): cwd="/home/user/tmp" +node=work type=PATH msg=audit(1615114232.375:15558): item=0 name="/usr/bin/whoami" inode=261214 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root" +node=work type=PATH msg=audit(1615114232.375:15558): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=262146 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root" +node=work type=PROCTITLE msg=audit(1615114232.375:15558): proctitle="whoami" +node=work type=EOE msg=audit(1615114232.375:15558): From 0ce7f8d8c3020d101fe0f897d6b4af97590dc6e2 Mon Sep 17 00:00:00 2001 From: Hilko Bengen Date: Fri, 15 Mar 2024 15:51:19 +0100 Subject: [PATCH 2/2] Fix regression causing names to be encoded as array of numbers Close #210 --- src/types.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/types.rs b/src/types.rs index 463eceb..6aca7c9 100644 --- a/src/types.rs +++ b/src/types.rs @@ -70,7 +70,7 @@ impl Serialize for Event<'_> { map.serialize_value(&self.id)?; if let Some(node) = &self.node { map.serialize_key("NODE")?; - map.serialize_value(&node)?; + map.serialize_value(&Bytes(node))?; } for (k, v) in &self.body { map.serialize_entry(&k, &v)?;