Use process group when more than 1 object

stevegrubb · stevegrubb · commit 8fdfe53d9e00 · 2025-08-15T13:42:21.000-04:00
diff --git a/auparse/normalize-internal.h b/auparse/normalize-internal.h
@@ -104,6 +104,7 @@
 #define NORM_WHAT_SOFTWARE      23
 #define NORM_WHAT_INTEGRITY_POLICY      24
 #define NORM_WHAT_SECURITY_MODULES      25
+#define NORM_WHAT_PROCESS_GROUP	26
 
 // This enum is used to map events to what kind they are
 #define NORM_EVTYPE_UNKNOWN		0
diff --git a/auparse/normalize.c b/auparse/normalize.c
@@ -779,11 +779,14 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 			set_socket_object(au);
 			break;
 		case NORM_PID:
-			if (auparse_get_num_records(au) > 2)
+			if (auparse_get_num_records(au) > 2) {
 				// FIXME: this has implications for object
 				act = "killed-list-of-pids";
-			else
+				D.thing.what = NORM_WHAT_PROCESS_GROUP;
+			} else {
 				act = "killed-pid";
+				D.thing.what = NORM_WHAT_PROCESS;
+			}
 			auparse_goto_record_num(au, 1);
 			auparse_first_field(au);
 			f = auparse_find_field(au, "saddr");
@@ -793,7 +796,6 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
 				D.thing.primary = set_field(D.thing.primary,
 					auparse_get_field_num(au));
 			}
-			D.thing.what = NORM_WHAT_PROCESS;
 			break;
 		case NORM_MAC_LOAD:
 			act = normalize_record_map_i2s(ttype);
diff --git a/auparse/normalize_obj_kind_map.h b/auparse/normalize_obj_kind_map.h
@@ -48,4 +48,5 @@ _S(NORM_WHAT_DEVICE, "device")
 _S(NORM_WHAT_SOFTWARE, "software")
 _S(NORM_WHAT_INTEGRITY_POLICY, "integrity-policy")
 _S(NORM_WHAT_SECURITY_MODULES, "security-modules")
+_S(NORM_WHAT_PROCESS_GROUP, "process-group")
 //_S(, "")
