parser: Recognize strange subj fields for more message types

Observed: ANOM_ABEND, ADD_USER, ADD_GROUP, USER_CHAUTHOK, presumably due to AppArmor; there are probably more.
threathunters-io · Dec 27, 2023 · 6799293 · 6799293
1 parent 47d0007
commit 6799293
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/src/parser.rs b/src/parser.rs
@@ -370,7 +370,7 @@ fn parse_unspec_value<'a>(
 ) -> IResult<&'a [u8], PValue<'a>> {
     // work around apparent AppArmor breakage
     match (ty, name) {
-        (msg_type::SYSCALL, b"subj") | (msg_type::USER_AUTH, b"subj") => {
+        (_, b"subj") => {
             if let Ok((input, s)) = recognize(tuple((
                 opt(tag("=")),
                 parse_str_unq,
@@ -869,6 +869,7 @@ mod test {
         do_parse(include_bytes!("testdata/line-daemon-end.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-netfilter.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-anom-abend.txt")).unwrap();
+        do_parse(include_bytes!("testdata/line-anom-abend-2.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-user-auth.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-sockaddr-unix.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-user-auth-2.txt")).unwrap();

diff --git a/src/testdata/line-anom-abend-2.txt b/src/testdata/line-anom-abend-2.txt
@@ -0,0 +1 @@
+type=ANOM_ABEND msg=audit(1703677054.334:4223663): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==/usr/bin/man//&man_groff (enforce) pid=109919 comm="preconv" exe="/usr/bin/preconv" sig=31 res=1AUID="unset" UID="root" GID="root"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type=ANOM_ABEND msg=audit(1703677054.334:4223663): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==/usr/bin/man//&man_groff (enforce) pid=109919 comm="preconv" exe="/usr/bin/preconv" sig=31 res=1AUID="unset" UID="root" GID="root"