improve text generation for process groups

stevegrubb · stevegrubb · commit 691fe2a263f9 · 2025-08-15T15:34:21.000-04:00
diff --git a/auparse/internal.h b/auparse/internal.h
@@ -194,6 +194,7 @@ void aup_free_config(struct daemon_conf *config);
 
 /* Resolve @name to a uid, caching the result for future lookups. */
 uid_t lookup_uid_from_name(auparse_state_t *au, const char *name);
+
 // normalize.c
 void init_normalizer(normalize_data *d);
 void clear_normalizer(normalize_data *d);
diff --git a/auparse/normalize.c b/auparse/normalize.c
@@ -797,8 +797,6 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 						auparse_get_record_num(au));
 					attr = set_field(attr,
 						auparse_get_field_num(au));
-					if (is_unset(D.thing.primary))
-						D.thing.primary = attr;
 					cllist_append(&D.thing.attr, attr,
 							NULL);
 				}
@@ -2264,6 +2262,11 @@ const char *auparse_normalize_object_kind(const auparse_state_t *au)
 	return normalize_obj_kind_map_i2s(D.thing.what);
 }
 
+int auparse_normalize_object_kind_int(const auparse_state_t *au)
+{
+	return D.thing.what;
+}
+
 int auparse_normalize_get_results(auparse_state_t *au)
 {
 	return seek_field(au, D.results);
diff --git a/src/ausearch-report.c b/src/ausearch-report.c
@@ -34,6 +34,7 @@
 #include "auparse.h"
 #include "auparse-idata.h"
 #include "auditd-config.h"
+#include "normalize-internal.h"	// pid list
 
 static int interp_init = 0;
 static auparse_state_t *au = NULL;
@@ -691,6 +692,7 @@ static void csv_event(auparse_state_t *au,
 
 /* This function will output a normalized line of audit
  * fields one line per event as an english sentence */
+extern int auparse_normalize_object_kind_int(const auparse_state_t *au);
 static void text_event(auparse_state_t *au,
 		auparse_cb_event_t cb_event_type, void *user_data)
 {
@@ -800,6 +802,33 @@ static void text_event(auparse_state_t *au,
 		printf("to %s ", val);
 	}
 
+	// Print pid list if process group
+	int kind = auparse_normalize_object_kind_int(au);
+	if (kind == NORM_WHAT_PROCESS_GROUP || kind == NORM_WHAT_PROCESS) {
+		rc = auparse_normalize_object_first_attribute(au);
+		if (rc == 1) {
+			int sep = 0, cnt = 1;
+			putchar('(');
+			do {
+				const char *name = auparse_get_field_name(au);
+				if (strcmp(name, "opid") == 0) {
+					if (sep)
+						putchar(',');
+					printf("%s",
+					       auparse_interpret_field(au));
+					sep = 1;
+				}
+			       rc = auparse_normalize_object_next_attribute(au);
+			       cnt++;
+			} while (rc == 1 && cnt < 4);
+			if (cnt >= 4)
+				printf(",...)");
+			else
+				putchar(')');
+			putchar(' ');
+		}
+	}
+
 	how = auparse_normalize_how(au);
 	if (how && action && *action != 'e')   // Don't print for ended-session
 		printf("using %s", how);

Original file line number	Diff line number	Diff line change
`@@ -797,8 +797,6 @@ static int normalize_syscall(auparse_state_t au, const char syscall)`
`797`	`797`	`auparse_get_record_num(au));`
`798`	`798`	`attr = set_field(attr,`
`799`	`799`	`auparse_get_field_num(au));`
`800`		`- if (is_unset(D.thing.primary))`
`801`		`- D.thing.primary = attr;`
`802`	`800`	`cllist_append(&D.thing.attr, attr,`
`803`	`801`	`NULL);`
`804`	`802`	`}`
`@@ -2264,6 +2262,11 @@ const char auparse_normalize_object_kind(const auparse_state_t au)`
`2264`	`2262`	`return normalize_obj_kind_map_i2s(D.thing.what);`
`2265`	`2263`	`}`
`2266`	`2264`
	`2265`	`+int auparse_normalize_object_kind_int(const auparse_state_t *au)`
	`2266`	`+{`
	`2267`	`+ return D.thing.what;`
	`2268`	`+}`
	`2269`	`+`
`2267`	`2270`	`int auparse_normalize_get_results(auparse_state_t *au)`
`2268`	`2271`	`{`
`2269`	`2272`	`return seek_field(au, D.results);`