threathunters-io · hillu · Mar 15, 2024 · Mar 15, 2024 · Mar 15, 2024
diff --git a/src/coalesce.rs b/src/coalesce.rs
@@ -1170,6 +1170,10 @@ mod test {
  !output.contains(r#""egid":0,"#),
  "output does not contain raw egid"
  );
+ assert!(
+ output.contains(r#"NODE":"work","#),
+ "node name is encoded correctly."
+ );
 
  Ok(())
  }

diff --git a/src/testdata/record-execve.txt b/src/testdata/record-execve.txt
@@ -1,7 +1,7 @@
-type=SYSCALL msg=audit(1615114232.375:15558): arch=c000003e syscall=59 success=yes exit=0 a0=63b29337fd18 a1=63b293387d58 a2=63b293375640 a3=fffffffffffff000 items=2 ppid=10883 pid=10884 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="whoami" exe="/usr/bin/whoami" key=(null)ARCH=x86_64 SYSCALL=execve AUID="user" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
-type=EXECVE msg=audit(1615114232.375:15558): argc=1 a0="whoami"
-type=CWD msg=audit(1615114232.375:15558): cwd="/home/user/tmp"
-type=PATH msg=audit(1615114232.375:15558): item=0 name="/usr/bin/whoami" inode=261214 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root"
-type=PATH msg=audit(1615114232.375:15558): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=262146 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root"
-type=PROCTITLE msg=audit(1615114232.375:15558): proctitle="whoami"
-type=EOE msg=audit(1615114232.375:15558):
+node=work type=SYSCALL msg=audit(1615114232.375:15558): arch=c000003e syscall=59 success=yes exit=0 a0=63b29337fd18 a1=63b293387d58 a2=63b293375640 a3=fffffffffffff000 items=2 ppid=10883 pid=10884 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="whoami" exe="/usr/bin/whoami" key=(null)ARCH=x86_64 SYSCALL=execve AUID="user" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
+node=work type=EXECVE msg=audit(1615114232.375:15558): argc=1 a0="whoami"
+node=work type=CWD msg=audit(1615114232.375:15558): cwd="/home/user/tmp"
+node=work type=PATH msg=audit(1615114232.375:15558): item=0 name="/usr/bin/whoami" inode=261214 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root"
+node=work type=PATH msg=audit(1615114232.375:15558): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=262146 dev=ca:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root"
+node=work type=PROCTITLE msg=audit(1615114232.375:15558): proctitle="whoami"
+node=work type=EOE msg=audit(1615114232.375:15558):
diff --git a/src/types.rs b/src/types.rs
@@ -70,7 +70,7 @@ impl Serialize for Event<'_> {
  map.serialize_value(&self.id)?;
  if let Some(node) = &self.node {
  map.serialize_key("NODE")?;
- map.serialize_value(&node)?;
+ map.serialize_value(&Bytes(node))?;
  }
  for (k, v) in &self.body {
  map.serialize_entry(&k, &v)?;