get_field_str() and interpret_field() bug with multi-word fields

[John Dennis]

Jonathan Kelly wrote:
>
> Hello,
>
>  
>
> When using the python auparse library to call 
> AuParser.interpret_field() on a multi-word field, only the first word 
> in the field is returned.  Using get_field_str() instead of 
> interpret_field() yields the same output.  I have verified that this 
> issue exists in the C library, as well as the Python.  I suspect that 
> this may be an issue for multi-word fields in general, but have not 
> noticed any other than 'op'.
>
The thing to note here is that only the characters up to the first white 
space were included in the field.

Unfortunately string handling in audit is seriously broken and has been 
for a long time. The audit code does not know how to handle strings with 
embedded spaces, quotes, etc. The fundamental problem is the format for 
string encoding was never defined. There is a horrible hack the kernel 
uses when a string has a space in it, it converts the string to a 
sequence of hex characters, thus there is no space in the value of the 
key=value pair. Auparse has a hard coded list of keys it expects might 
have hex encoded strings in it, if the key (msg in this instance) is in 
the list then the interpret function will decode the hex string.

You might try encoding the msg in hex to see if it starts working.

Or you might try convincing the audit maintainers to adopt sane string 
handling rules (but good luck on this front, there have been many many 
complaints about this for a long time and nothing has happened :-(

-- 
John Dennis <jdennis at redhat.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080812/468ffda0/attachment.htm>