From 038ff23dfa5ddf7ca2de2d564262c0d5bfece4d4 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Sat, 18 Jan 2025 14:20:46 -0500
Subject: [PATCH 1/4] Fix audit records

The audit system only recognizes key=value word pairs. It uses the first
whitespace after the '=' to determine the end of the value associated
with the field name. The op field contains multiple words describing what
operation is being performed on the user account. However, due to white
space between the words, the audit parser cannot get the whole operation
description as intended.

This patch is the least invasive way to fix the problem. What it does is
replace white space in the op field with dashes soo that the parser keeps
all of the words togther. Below are before and after events:

type=ADD_GROUP msg=audit(01/18/2025 13:50:27.903:685) : pid=116430 uid=root
auid=sgrubb ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=adding group acct=test exe=/home/sgrubb/shadow-utils/src/useradd
hostname=x2 addr=? terminal=pts/1 res=success'

type=ADD_GROUP msg=audit(01/18/2025 13:56:45.031:709) : pid=107681 uid=root
auid=sgrubb ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=adding-group acct=test1 exe=/home/sgrubb/shadow-utils/src/useradd
hostname=x2 addr=? terminal=pts/1 res=success'

To show the effect using auformat which captures just the field asked for:

Before:
ausearch --start 13:50 -m ADD_USER --format raw | \
    /home/sgrubb/test/auformat "%OP\n"
adding

After:
ausearch --start 13:55 -m ADD_USER --format raw | \
    /home/sgrubb/test/auformat "%OP\n"
adding-user
---
 lib/audit_help.c | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/lib/audit_help.c b/lib/audit_help.c
index 54109f04f..4233ca827 100644
--- a/lib/audit_help.c
+++ b/lib/audit_help.c
@@ -44,6 +44,25 @@ void audit_help_open (void)
 	}
 }
 
+/*
+ * This takes a string and replaces the old character with the new.
+ */
+static char *strreplace (char *str, char old, char new)
+{
+	if (str == NULL) {
+		return NULL;
+	}
+
+	char *p = str;
+	while (*p) {
+		if (*p == old) {
+			*p = new;
+		}
+		p++;
+	}
+	return str;
+}
+
 /*
  * This function will log a message to the audit system using a predefined
  * message format. Parameter usage is as follows:
@@ -63,8 +82,16 @@ void audit_logger (int type, MAYBE_UNUSED const char *pgname, const char *op,
 	if (audit_fd < 0) {
 		return;
 	} else {
-		audit_log_acct_message (audit_fd, type, NULL, op, name, id,
-		                        NULL, NULL, NULL, result);
+		/*
+		 * The audit system needs white space in the op field to
+		 * be replaced with dashes so that parsers get the whole
+		 * field.
+		 */
+		char *fixed_op = strreplace (strdup (op), ' ', '-');
+		audit_log_acct_message (audit_fd, type, NULL,
+					fixed_op ? fixed_op : op, name,
+					id, NULL, NULL, NULL, result);
+		free (fixed_op);
 	}
 }
 

From a82a01a9fc4e05f01e1621891e287789335a4104 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Tue, 21 Jan 2025 13:51:29 -0500
Subject: [PATCH 2/4] Updates based on feedback

Made the following changes based on feedback: Changed the function name
to strtr, drop strdup/free in favor of alloca, changed while loop to a
for loop, and added missing inline attribute.
---
 lib/audit_help.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/audit_help.c b/lib/audit_help.c
index 4233ca827..5d29cee11 100644
--- a/lib/audit_help.c
+++ b/lib/audit_help.c
@@ -21,6 +21,7 @@
 #include <libaudit.h>
 #include <errno.h>
 #include <stdio.h>
+#include <alloca.h>
 
 #include "attr.h"
 #include "prototypes.h"
@@ -47,18 +48,16 @@ void audit_help_open (void)
 /*
  * This takes a string and replaces the old character with the new.
  */
-static char *strreplace (char *str, char old, char new)
+static inline char *strtr (char *str, char old, char new)
 {
 	if (str == NULL) {
 		return NULL;
 	}
 
-	char *p = str;
-	while (*p) {
+	for (char *p = str; *p; p++) {
 		if (*p == old) {
 			*p = new;
 		}
-		p++;
 	}
 	return str;
 }
@@ -85,13 +84,14 @@ void audit_logger (int type, MAYBE_UNUSED const char *pgname, const char *op,
 		/*
 		 * The audit system needs white space in the op field to
 		 * be replaced with dashes so that parsers get the whole
-		 * field.
+		 * field. Not all C libraries have strdupa.
 		 */
-		char *fixed_op = strreplace (strdup (op), ' ', '-');
+		char *tmp_op = alloca (strlen (op) + 1);
+		strcpy (tmp_op, op);
+		char *fixed_op = strtr (tmp_op, ' ', '-');
 		audit_log_acct_message (audit_fd, type, NULL,
-					fixed_op ? fixed_op : op, name,
-					id, NULL, NULL, NULL, result);
-		free (fixed_op);
+					fixed_op,  name, id,
+					NULL, NULL, NULL, result);
 	}
 }
 

From 88e145a1c8b702c85529d6c9df6b13a30cf17328 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 22 Jan 2025 14:26:06 -0500
Subject: [PATCH 3/4] Another round of updates

Don't check for NULL string being passed, put returned type on a separate
line, use streq, remove some curly braces, use strdupa, and constify the
returned pointer.
---
 lib/audit_help.c | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/lib/audit_help.c b/lib/audit_help.c
index 5d29cee11..66f562732 100644
--- a/lib/audit_help.c
+++ b/lib/audit_help.c
@@ -26,6 +26,7 @@
 #include "attr.h"
 #include "prototypes.h"
 #include "shadowlog.h"
+#include "string/strcmp/streq.h"
 int audit_fd;
 
 void audit_help_open (void)
@@ -48,16 +49,12 @@ void audit_help_open (void)
 /*
  * This takes a string and replaces the old character with the new.
  */
-static inline char *strtr (char *str, char old, char new)
+static inline const char *
+strtr(char *str, char old, char new)
 {
-	if (str == NULL) {
-		return NULL;
-	}
-
-	for (char *p = str; *p; p++) {
-		if (*p == old) {
+	for (char *p = str; streq(p, ""); p++) {
+		if (*p == old)
 			*p = new;
-		}
 	}
 	return str;
 }
@@ -84,14 +81,12 @@ void audit_logger (int type, MAYBE_UNUSED const char *pgname, const char *op,
 		/*
 		 * The audit system needs white space in the op field to
 		 * be replaced with dashes so that parsers get the whole
-		 * field. Not all C libraries have strdupa.
+		 * field.
 		 */
-		char *tmp_op = alloca (strlen (op) + 1);
-		strcpy (tmp_op, op);
-		char *fixed_op = strtr (tmp_op, ' ', '-');
-		audit_log_acct_message (audit_fd, type, NULL,
-					fixed_op,  name, id,
-					NULL, NULL, NULL, result);
+		const char *fixed_op = strtr(strdupa(op), ' ', '-');
+		audit_log_acct_message(audit_fd, type, NULL,
+				       fixed_op, name, id,
+				       NULL, NULL, NULL, result);
 	}
 }
 

From 0d86d7c6160dfae7c203b993255f95d266ef78ef Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 22 Jan 2025 15:19:09 -0500
Subject: [PATCH 4/4] Invert streq value

---
 lib/audit_help.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/audit_help.c b/lib/audit_help.c
index 66f562732..cffb7fadc 100644
--- a/lib/audit_help.c
+++ b/lib/audit_help.c
@@ -52,7 +52,7 @@ void audit_help_open (void)
 static inline const char *
 strtr(char *str, char old, char new)
 {
-	for (char *p = str; streq(p, ""); p++) {
+	for (char *p = str; !streq(p, ""); p++) {
 		if (*p == old)
 			*p = new;
 	}