Jonathan Kelly wrote:
Hello,
When using the python auparse library to call
AuParser.interpret_field() on a multi-word field, only the first word
in the field is returned. Using get_field_str() instead of
interpret_field() yields the same output. I have verified that this
issue exists in the C library, as well as the Python. I suspect that
this may be an issue for multi-word fields in general, but have not
noticed any other than 'op'.
The thing to note here is that only the characters up to the first white
space were included in the field.
Unfortunately string handling in audit is seriously broken and has been
for a long time. The audit code does not know how to handle strings with
embedded spaces, quotes, etc. The fundamental problem is the format for
string encoding was never defined. There is a horrible hack the kernel
uses when a string has a space in it, it converts the string to a
sequence of hex characters, thus there is no space in the value of the
key=value pair. Auparse has a hard coded list of keys it expects might
have hex encoded strings in it, if the key (msg in this instance) is in
the list then the interpret function will decode the hex string.
You might try encoding the msg in hex to see if it starts working.
Or you might try convincing the audit maintainers to adopt sane string
handling rules (but good luck on this front, there have been many many
complaints about this for a long time and nothing has happened :-(
--
John Dennis <jdennis(a)redhat.com>