Scribery/aushape

Docker VIRT_CONTROL vm field garbage

spbnick opened this issue · 0 comments

spbnick commented

Aushape produces garbage as the value of the "vm" field in Docker's VIRT_CONTROL records.

Example input:

type=VIRT_CONTROL msg=audit(1506334818.325:606): pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=1000 hostname=c3b752d5eceb vm=centos:7 vm-pid=17252 user=jkarasek exe=sleep reason=api op=resize  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'

Resulting output:

    {
        "serial":513,
        "time":"2017-09-25T08:59:01.407+02:00",
        "data":{
            "virt_control":{
                "pid":["1182"],
                "uid":["root","0"],
                "auid":["unset","4294967295"],
                "ses":["unset","4294967295"],
                "subj":["system_u:system_r:container_runtime_t:s0"],
                "op":["resize"],
                "vm-pid":["11482"],
                "user":["jkarasek"],
                "reason":["api"],
                "vm":[""],
                "auid":["jkarasek","1000"],
                "exe":["sleep"],
                "hostname":["a056213011e5"],
                "exe":["/usr/bin/dockerd-current"],
                "hostname":["?"],
                "addr":["?"],
                "terminal":["?"],
                "res":["success"]
            }
        }
    }