Created attachment 351054 [details] Proposed patch Description of problem: audit-1.0.15 introduced a change to interpret data withing the "msg=" filed that breaks with some messages, when the result string contains a space. Version-Release number of selected component (if applicable): 1.0.16 How reproducible: 100% reproducible Steps to Reproduce: 1. Install audit 1.0.16 on el4 2. try to ssh to the system with a wrong passwd to generate a PAM authentication failure 3. ausearch -i -m USER_AUTH Actual results: ---- type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd (hostname=localhost.localdomain addr=127.0.0.1 terminal=ssh result=Authentication ---- Expected results: ---- type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Authentication failure)' ---- Additional info: The problem was comes from output_interpreted_node() in ausearch-report.c. The addition of: 147 static void output_interpreted_node(const lnode *n) 148 { [...] 226 // for each item. 227 while (str && *str && (ptr = strchr(str, '='))) { [...] 240 // Some user messages have msg='uid=500 in this case 241 // skip the msg= piece since the real stuff is the uid= 242 if (strcmp(name, "msg") == 0) { 243 str = ptr; 244 continue; 245 } [...] Introduced a breakage when looking for the the end of the line a few lines later in the code: 251 // get string after = to the next space or end - this is value 252 if (*ptr == '\'' || *ptr == '"') { 253 str = strchr(ptr+1, *ptr); 254 if (str) { 255 str++; 256 if (*str) 257 *str++ = 0; 258 } 259 } else { 260 str = strchr(ptr, ','); 261 val = strchr(ptr, ' '); 262 if (str && val && (str < val)) { 263 *str++ = 0; 264 comma = 1; 265 } else if (str && (val == NULL)) { 266 *str++ = 0; 267 comma = 1; 268 } else if (val) { 269 str = val; 270 *str++ = 0; 271 } 272 } Because the "'" is skipped before. As a result, the search for the separator truncated the last portion of the message in there is an space or a comma in the last part of the message (like in "result=Authentication failure)'") The attached patch tries to address the problem by looking ahead for more fields to parse (ie more "=") and looks for the separator only if there are more fields, thus avoiding the truncation of the last portion of the message. Note: The problem is most likely present also upstream and in el5 as the code is similar.
The audit events shown above seem to be a bug in pam. The result field should be only 0 or 1, yes or no. FWIW, the section of code in the proposed patch is the same in current upstream. So, my inclination would be to fix pam should this problem still exist. Closing the bug since I think pam is fixed.