Bug 510478 - ausearch fails to interpret some messages
ausearch fails to interpret some messages
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: audit (Show other bugs)
4.8
All Linux
medium Severity medium
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-09 08:39 EDT by Olivier Fourdan
Modified: 2013-03-03 21:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-18 13:43:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.27 KB, patch)
2009-07-09 08:39 EDT, Olivier Fourdan
no flags Details | Diff

  None (edit)
Description Olivier Fourdan 2009-07-09 08:39:12 EDT
Created attachment 351054 [details]
Proposed patch

Description of problem:

audit-1.0.15 introduced a change to interpret data withing the "msg=" filed that breaks with some messages, when the result string contains a space.

Version-Release number of selected component (if applicable):

1.0.16

How reproducible:

100% reproducible

Steps to Reproduce:
1. Install audit 1.0.16 on el4
2. try to ssh to the system with a wrong passwd to generate a PAM authentication failure 
3. ausearch -i -m USER_AUTH
  
Actual results:

----
type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root 
auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd 
(hostname=localhost.localdomain  addr=127.0.0.1  terminal=ssh 
result=Authentication 
----

Expected results:

----
type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root 
auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd 
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh 
result=Authentication failure)' 
----

Additional info:

The problem was comes from output_interpreted_node() in ausearch-report.c.

The addition of:

    147 static void output_interpreted_node(const lnode *n)
    148 {
    [...]

    226         // for each item.
    227         while (str && *str && (ptr = strchr(str, '='))) {
    [...]

    240                 // Some user messages have msg='uid=500   in this case
    241                 // skip the msg= piece since the real stuff is the uid=
    242                 if (strcmp(name, "msg") == 0) {
    243                         str = ptr;
    244                         continue;
    245                 }
    [...]

Introduced a breakage when looking for the the end of the line a few lines later in the code:

    251                 // get string after = to the next space or end - this is value
    252                 if (*ptr == '\'' || *ptr == '"') {
    253                         str = strchr(ptr+1, *ptr);
    254                         if (str) {
    255                                 str++;
    256                                 if (*str)
    257                                         *str++ = 0;
    258                         } 
    259                 } else {
    260                         str = strchr(ptr, ',');
    261                         val = strchr(ptr, ' ');
    262                         if (str && val && (str < val)) {
    263                                 *str++ = 0;
    264                                 comma = 1;
    265                         } else if (str && (val == NULL)) {
    266                                 *str++ = 0;
    267                                 comma = 1;
    268                         } else if (val) {
    269                                 str = val;
    270                                 *str++ = 0;
    271                         }
    272                 }

Because the "'" is skipped before. As a result, the search for the separator truncated the last portion of the message in there is an space or a comma in the last part of the message (like in "result=Authentication failure)'")

The attached patch tries to address the problem by looking ahead for more fields to parse (ie more "=") and looks for the separator only if there are more fields, thus avoiding the truncation of the last portion of the message.

Note: The problem is most likely present also upstream and in el5 as the code is similar.
Comment 3 Steve Grubb 2010-01-18 13:43:58 EST
The audit events shown above seem to be a bug in pam. The result field should be only 0 or 1, yes or no. FWIW, the section of code in the proposed patch is the same in current upstream. So, my inclination would be to fix pam should this problem still exist. Closing the bug since I think pam is fixed.

Note You need to log in before you can comment on or make changes to this bug.