Hello,

 

When using the python auparse library to call AuParser.interpret_field() on a multi-word field, only the first word in the field is returned.  Using get_field_str() instead of interpret_field() yields the same output.  I have verified that this issue exists in the C library, as well as the Python.  I suspect that this may be an issue for multi-word fields in general, but have not noticed any other than 'op'.

 

Here is some sample code and input/output:

 

---

#/usr/bin/python

 

from auparse import *

 

parser = AuParser(AUSOURCE_LOGS)

parser.search_add_item("type", "=", "USER_CHAUTHTOK", AUSEARCH_STOP_EVENT)

account_changes = []

 

while(parser.search_next_event() == True):

    for record in range(parser.get_num_records()):

        event = {}

        event ['timestamp'] = parser.get_timestamp().sec

        for field in range(parser.get_num_fields()):

            key = parser.get_field_name()

            value = parser.interpret_field()

            event[key] = value

            parser.next_field()

        if event['type'] == 'USER_CHAUTHTOK':

                account_changes.append(event)

        parser.next_record()

    parser.parse_next_event()

 

print account_changes

---

#include <auparse.h>

#include <stdio.h>

#include <libaudit.h>

 

 

int main(void)

{

        auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL);

        if (au == NULL)

                exit(1);

 

        if ( ausearch_add_item(au, "type", "=", "USER_CHAUTHTOK", AUSEARCH_RULE_CLEAR))

                exit(1);

        if ( ausearch_set_stop(au, AUSEARCH_STOP_EVENT) )

                exit(1);

 

        while (ausearch_next_event(au) > 0) {

                if (auparse_find_field(au, "op")) {

                        printf("interpret: op=%s\n", auparse_interpret_field(au));

                        printf("str: op=%s\n", auparse_get_field_str(au));

                }

                auparse_next_event(au);

        }

        auparse_destroy(au);

        return 0;

}

---

 

(audit.log)

type=USER_CHAUTHTOK msg=audit(1218562665.856:1103638): user pid=13396 uid=0 auid=502 msg='op=adding user acct=testuser exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=success)'

type=USER_CHAUTHTOK msg=audit(1218562665.895:1103662): user pid=13396 uid=0 auid=502 msg='op=adding home directory acct=testuser exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=success)'

type=USER_CHAUTHTOK msg=audit(1218562670.415:1103686): user pid=13401 uid=0 auid=502 msg='op=deleting user entries acct=testuser exe="/usr/sbin/userdel" (hostname=?, addr=?, terminal=pts/0 res=success)'

type=USER_CHAUTHTOK msg=audit(1218562670.416:1103687): user pid=13401 uid=0 auid=502 msg='op=deleting group acct=testuser exe="/usr/sbin/userdel" (hostname=?, addr=?, terminal=pts/0 res=failed)'

 

(python with full event)

{'auid': '502', 'exe': '"/usr/sbin/useradd"', 'uid': '0', 'timestamp': 1218562665, 'hostname': '?', 'pid': '13396', 'terminal': 'pts/0', 'res': 'success', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK', 'op': 'adding'},

{'auid': '502', 'exe': '"/usr/sbin/useradd"', 'uid': '0', 'timestamp': 1218562665, 'hostname': '?', 'pid': '13396', 'terminal': 'pts/0', 'res': 'success', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK', 'op': 'adding'},

{'auid': '502', 'exe': '"/usr/sbin/userdel"', 'uid': '0', 'timestamp': 1218562670, 'hostname': '?', 'pid': '13401', 'terminal': 'pts/0', 'res': 'success', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK', 'op': 'deleting'},

{'auid': '502', 'exe': '"/usr/sbin/userdel"', 'uid': '0', 'timestamp': 1218562670, 'hostname': '?', 'pid': '13401', 'terminal': 'pts/0', 'res': 'failed', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK', 'op': 'deleting'}]

 

(c with just op field)

interpret: op=adding

str: op=adding

interpret: op=adding

str: op=adding

interpret: op=deleting

str: op=deleting

interpret: op=deleting

str: op=deleting

 

---

 

Unfortunately, my C is a little too rusty for me to attempt a patch myself, but I hope this gives you everything you need to get this fixed!

 

Best regards,

 

Jonathan Kelly