From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: Auparse feature or bug
Date: Thu, 14 Mar 2013 21:21:30 +1100
Message-ID: <1363256490.3199.23.camel@swtf.swtf.dyndns.org>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r2EALZDA024064
	for <linux-audit@redhat.com>; Thu, 14 Mar 2013 06:21:35 -0400
Received: from gateway.swtf.dyndns.org (203-219-87-38.static.tpgi.com.au
	[203.219.87.38])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r2EALXwK000880
	for <linux-audit@redhat.com>; Thu, 14 Mar 2013 06:21:34 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by gateway.swtf.dyndns.org (Postfix) with ESMTP id 322AE24D005D
	for <linux-audit@redhat.com>; Thu, 14 Mar 2013 21:19:00 +1100 (EST)
Received: from [192.168.2.100] (unknown [192.168.2.100])
	by gateway.swtf.dyndns.org (Postfix) with ESMTP id 2137F24D0045
	for <linux-audit@redhat.com>; Thu, 14 Mar 2013 21:18:59 +1100 (EST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

When the auparse library parses certain USER_* type events it appears to
have an issue key values with embedded spaces. For example, the event

        type=USER_CHAUTHTOK msg=audit(1363256032.497:202603): user
        pid=24180 uid=0 auid=500 ses=1 msg='op=change password id=500
        exe="/usr/bin/passwd" hostname=? addr=?  terminal=pts/1
        res=success'

when parsed using the code identified in auparse_feed(1), will result in

        event: 1
        records:1
        fields:12
        type=1108 event time: 1363256032.497:202603
        type=USER_CHAUTHTOK (USER_CHAUTHTOK)
        pid=24180 (24180)
        uid=0 (root)
        auid=500 (burn)
        ses=1 (1)
        op=change (change)
        id=500 (burn)
        exe="/usr/bin/passwd" (/usr/bin/passwd)
        hostname=? (?)
        addr=? (?)
        terminal=pts/1 (pts/1)
        res=success (success)

As you can see, we have lost the 'password' element of the
	"op=change password"
key value pair in the original event.

Is this a feature or bug???

Regards
Burn


Regards
Burn Alting