Jonathan Kelly wrote:

Hello,

When using the python auparse library to call AuParser.interpret_field() on a multi-word field, only the first word in the field is returned. Using get_field_str() instead of interpret_field() yields the same output. I have verified that this issue exists in the C library, as well as the Python. I suspect that this may be an issue for multi-word fields in general, but have not noticed any other than 'op'.

The thing to note here is that only the characters up to the first white space were included in the field.

Unfortunately string handling in audit is seriously broken and has been for a long time. The audit code does not know how to handle strings with embedded spaces, quotes, etc. The fundamental problem is the format for string encoding was never defined. There is a horrible hack the kernel uses when a string has a space in it, it converts the string to a sequence of hex characters, thus there is no space in the value of the key=value pair. Auparse has a hard coded list of keys it expects might have hex encoded strings in it, if the key (msg in this instance) is in the list then the interpret function will decode the hex string.

You might try encoding the msg in hex to see if it starts working.

Or you might try convincing the audit maintainers to adopt sane string handling rules (but good luck on this front, there have been many many complaints about this for a long time and nothing has happened :-(

-- 
John Dennis <jdennis@redhat.com>