Strings should be either always hex encoded, or always escaped
(preferably the latter).
The issue that always dominates any thinking about the audit system is how to
save diskspace. So, whenever a string has no naughty characters, we let it go
as is. If the string contains something that will confuse the parser or do
other bad things, we encode the string such that the parser cannot be
confused. But we only do that on demand because the majority of strings are
well-behaved.
This is not a true statement, unless the kernel has been patched
recently the handling of strings is seriously broken, a fact which has
been pointed out numerous times. It is also not true that parser cannot
be confused by the string format, also pointed out several times. It
should also be a goal that libraries other than auparse be capable of
parsing audit strings. It should also be a goal that correct parsing of
audit logs not be dependent on specific kernel versions.