Auparse feature or bug

Auparse feature or bug

[Burn Alting]

Hi,

When the auparse library parses certain USER_* type events it appears to
have an issue key values with embedded spaces. For example, the event

        type=USER_CHAUTHTOK msg=audit(1363256032.497:202603): user
        pid=24180 uid=0 auid=500 ses=1 msg='op=change password id=500
        exe="/usr/bin/passwd" hostname=? addr=?  terminal=pts/1
        res=success'

when parsed using the code identified in auparse_feed(1), will result in

        event: 1
        records:1
        fields:12
        type=1108 event time: 1363256032.497:202603
        type=USER_CHAUTHTOK (USER_CHAUTHTOK)
        pid=24180 (24180)
        uid=0 (root)
        auid=500 (burn)
        ses=1 (1)
        op=change (change)
        id=500 (burn)
        exe="/usr/bin/passwd" (/usr/bin/passwd)
        hostname=? (?)
        addr=? (?)
        terminal=pts/1 (pts/1)
        res=success (success)

As you can see, we have lost the 'password' element of the
	"op=change password"
key value pair in the original event.

Is this a feature or bug???

Regards
Burn


Regards
Burn Alting

Re: Auparse feature or bug

[Steve Grubb]

On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote:
> As you can see, we have lost the 'password' element of the
> 	"op=change password"
> key value pair in the original event.
> 
> Is this a feature or bug???

Its a feature. The only thing guaranteed by the audit system is that 
name=value pairs are supported. Additional text may be there to add context 
for people reading the event. But for machine parsing only name=value is 
returned. So, if the additional text is needed, then either '-' or '_' can be 
added between words (as many other events do).

-Steve

Re: Auparse feature or bug

[Burn Alting]

OK. So, in essence, the example I provided is a just poorly formatted
event from PAM. Or rather, one that can't be parsed by the auparse
library without loss of data.

TIA

On Thu, 2013-03-14 at 06:54 -0400, Steve Grubb wrote:
> On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote:
> > As you can see, we have lost the 'password' element of the
> > 	"op=change password"
> > key value pair in the original event.
> > 
> > Is this a feature or bug???
> 
> Its a feature. The only thing guaranteed by the audit system is that 
> name=value pairs are supported. Additional text may be there to add context 
> for people reading the event. But for machine parsing only name=value is 
> returned. So, if the additional text is needed, then either '-' or '_' can be 
> added between words (as many other events do).
> 
> -Steve

Re: Auparse feature or bug

[Steve Grubb]

On Thursday, March 14, 2013 10:10:42 PM Burn Alting wrote:
> OK. So, in essence, the example I provided is a just poorly formatted
> event from PAM. Or rather, one that can't be parsed by the auparse
> library without loss of data.

I think that is a fair assessment. Sometimes changes get made to the events 
without understanding how they affect people that really need correct audit 
events. For example, shadow-utils upstream made changes and without any 
coordination. Now there are about 200 places that need patching to fix all the 
audit problems.

-Steve

> On Thu, 2013-03-14 at 06:54 -0400, Steve Grubb wrote:
> > On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote:
> > > As you can see, we have lost the 'password' element of the
> > > 
> > > 	"op=change password"
> > > 
> > > key value pair in the original event.
> > > 
> > > Is this a feature or bug???
> > 
> > Its a feature. The only thing guaranteed by the audit system is that
> > name=value pairs are supported. Additional text may be there to add
> > context
> > for people reading the event. But for machine parsing only name=value is
> > returned. So, if the additional text is needed, then either '-' or '_' can
> > be added between words (as many other events do).
> > 
> > -Steve