Improve handling of raw audit data (#462)

* Add new log

* auparse_test: optionally interpret field value

Do not interpret all the values within the test suite,
especially in places where RAW audit format is used.

* auparse_test: optionally interpret field value in callback

Do not interpret all the values within the test suite, especially in
places where RAW audit format is used.

* Adjust reference output

* Rename new test suite file

* Enable test suite for all currently available distros

* auparse_test.py: Disable interpretation in RAW audit logs

Author: Cropi

.github/workflows/ci.yml

@@ -60,6 +60,4 @@ jobs:
           make -j$(nproc)
 
       - name: Run tests
-        # Temporarily disable for Ubuntu
-        if: matrix.container != 'ubuntu:latest'
         run: make check

auparse/test/auparse_test.c

@@ -20,7 +20,7 @@ static const char *buf[] = {
 unsigned int walked_fields = 0;
 #define FIELDS_EXPECTED 403
 
-static void walk_test(auparse_state_t *au)
+static void walk_test(auparse_state_t *au, int interpret)
 {
 	int event_cnt = 1, record_cnt;
 
@@ -53,10 +53,16 @@ static void walk_test(auparse_state_t *au)
 				e->milli, e->serial, e->host ? e->host : "?");
 			auparse_first_field(au);
 			do {
-				printf("        %s=%s (%s)\n",
-						auparse_get_field_name(au),
-						auparse_get_field_str(au),
-						auparse_interpret_field(au));
+				if (interpret) {
+					printf("        %s=%s (%s)\n",
+							auparse_get_field_name(au),
+							auparse_get_field_str(au),
+							auparse_interpret_field(au));
+				} else {
+					printf("        %s=%s\n",
+							auparse_get_field_name(au),
+							auparse_get_field_str(au));
+				}
                 walked_fields++;
 			} while (auparse_next_field(au) > 0);
 			printf("\n");
@@ -221,17 +227,22 @@ void regex_search(const char *expr)
 	auparse_destroy(au);
 }
 
+typedef struct {
+	int *event_cnt;
+	int interpret;
+} callback_data_t;
+
 static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data)
 {
-	int *event_cnt = (int *)user_data;
+	callback_data_t *data = (callback_data_t *)user_data;
 	int record_cnt;
 
 	if (cb_event_type == AUPARSE_CB_EVENT_READY) {
 		if (auparse_first_record(au) <= 0) {
 			printf("can't get first record\n");
 			return;
 		}
-		printf("event %d has %u records\n", *event_cnt,
+		printf("event %d has %u records\n", *(data->event_cnt),
 					auparse_get_num_records(au));
 		record_cnt = 1;
 		do {
@@ -254,15 +265,21 @@ static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_ty
 					e->host ? e->host : "?");
 			auparse_first_field(au);
 			do {
-				printf("        %s=%s (%s)\n",
-						auparse_get_field_name(au),
-						auparse_get_field_str(au),
-						auparse_interpret_field(au));
+				if (data->interpret) {
+					printf("        %s=%s (%s)\n",
+							auparse_get_field_name(au),
+							auparse_get_field_str(au),
+							auparse_interpret_field(au));
+				} else {
+					printf("        %s=%s\n",
+							auparse_get_field_name(au),
+							auparse_get_field_str(au));
+				}
 			} while (auparse_next_field(au) > 0);
 			printf("\n");
 			record_cnt++;
 		} while(auparse_next_record(au) > 0);
-		(*event_cnt)++;
+		(*(data->event_cnt))++;
         }
 }
 
@@ -304,7 +321,7 @@ int main(void)
 	/* Reset, now lets go to beginning and walk the list manually */
 	printf("Starting Test 2, walk events, records, and fields...\n");
 	auparse_reset(au);
-	walk_test(au);
+	walk_test(au, 1);
 	auparse_destroy(au);
 	printf("Test 2 Done\n\n");
 
@@ -325,7 +342,7 @@ int main(void)
 		printf("Error - %s\n", strerror(errno));
 		return 1;
 	}
-	walk_test(au);
+	walk_test(au, 0);
 	auparse_destroy(au);
 	printf("Test 4 Done\n\n");
 
@@ -335,7 +352,7 @@ int main(void)
 		printf("Error - %s\n", strerror(errno));
 		return 1;
 	}
-	walk_test(au);
+	walk_test(au, 0);
 	auparse_destroy(au);
 	printf("Test 5 Done\n\n");
 
@@ -409,12 +426,13 @@ int main(void)
 	printf("Starting Test 9, buffer feed...\n");
 	{
 		int event_cnt = 1;
+		callback_data_t cb_data = { &event_cnt, 1 };
 		size_t len, chunk_len = 3;
 		const char **cur_buf, *p_beg, *p_end, *p_chunk_beg,
 			*p_chunk_end;
 
 		au = auparse_init(AUSOURCE_FEED, 0);
-		auparse_add_callback(au, auparse_callback, &event_cnt, NULL);
+		auparse_add_callback(au, auparse_callback, &cb_data, NULL);
 		for (cur_buf = buf, p_beg = *cur_buf; *cur_buf;
 						 cur_buf++, p_beg = *cur_buf) {
 			len = strlen(p_beg);
@@ -441,15 +459,15 @@ int main(void)
 		/* Note: this should match Test 4 exactly */
 		printf("Starting Test 10, file feed...\n");
 	{
-		int *event_cnt = malloc(sizeof(int));
+		int event_cnt = 1;
+		callback_data_t cb_data = { &event_cnt, 0 };
 		size_t len;
 		char filename[] = "./test.log";
 		char buf[4];
 		FILE *fp;
 
-		*event_cnt = 1;
 		au = auparse_init(AUSOURCE_FEED, 0);
-		auparse_add_callback(au, auparse_callback, event_cnt, free);
+		auparse_add_callback(au, auparse_callback, &cb_data, NULL);
 		if ((fp = fopen(filename, "r")) == NULL) {
 			fprintf(stderr, "could not open '%s', %s\n",
 						filename, strerror(errno));
@@ -473,7 +491,7 @@ int main(void)
 	}
 
 	walked_fields = 0;
-	walk_test(au);
+	walk_test(au, 0);
 	auparse_destroy(au);
 
 	if (walked_fields != FIELDS_EXPECTED) {

auparse/test/auparse_test.py

@@ -26,7 +26,7 @@ def none_to_null(s):
 walked_fields = 0
 FIELDS_EXPECTED = 403
 
-def walk_test(au):
+def walk_test(au, interpret=False):
     global walked_fields
     event_cnt = 1
 
@@ -53,7 +53,10 @@ def walk_test(au):
             print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
             au.first_field()
             while True:
-                print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
+                if interpret:
+                    print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
+                else:
+                    print("        %s=%s" % (au.get_field_name(), au.get_field_str()))
                 walked_fields += 1
                 if not au.next_field(): break
             print("")
@@ -123,7 +126,7 @@ def compound_search(au, how):
     else:
         print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
 
-def feed_callback(au, cb_event_type, event_cnt):
+def feed_callback(au, cb_event_type, event_cnt, interpret=False):
     if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
         if not au.first_record():
             print("Error getting first record")
@@ -146,7 +149,10 @@ def feed_callback(au, cb_event_type, event_cnt):
             print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
             au.first_field()
             while True:
-                print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
+                if interpret:
+                    print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
+                else:
+                    print("        %s=%s" % (au.get_field_name(), au.get_field_str()))
                 if not au.next_field(): break
             print("")
             record_cnt += 1
@@ -166,7 +172,7 @@ def feed_callback(au, cb_event_type, event_cnt):
 
 # Reset, now lets go to beginning and walk the list manually */
 print("Starting Test 2, walk events, records, and fields...")
-walk_test(au)
+walk_test(au, interpret=True)
 print("Test 2 Done\n")
 
 # Reset, now lets go to beginning and walk the list manually */
@@ -234,7 +240,7 @@ def feed_callback(au, cb_event_type, event_cnt):
 print("Starting Test 9, buffer feed...")
 au = auparse.AuParser(auparse.AUSOURCE_FEED);
 event_cnt = 1
-au.add_callback(feed_callback, [event_cnt])
+au.add_callback(lambda au, cb_event_type, event_cnt: feed_callback(au, cb_event_type, event_cnt, interpret=False), [event_cnt])
 chunk_len = 3
 for s in buf:
     s_len = len(s)
@@ -251,7 +257,7 @@ def feed_callback(au, cb_event_type, event_cnt):
 print("Starting Test 10, file feed...")
 au = auparse.AuParser(auparse.AUSOURCE_FEED);
 event_cnt = 1
-au.add_callback(feed_callback, [event_cnt])
+au.add_callback(lambda au, cb_event_type, event_cnt: feed_callback(au, cb_event_type, event_cnt, interpret=False), [event_cnt])
 f = open(srcdir + "/test.log");
 while True:
     data = f.read(4)