Error normalizing NETFILTER_CFG

[spbnick]

The auparse_normalize function returns an error for following piece of audit.log:

node=fedora24-dev type=NETFILTER_CFG msg=audit(1517172828.517:495): table=mangle family=10 entries=6
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.797:496): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=firewalld comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.799:497): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.800:498): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=polkit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_START msg=audit(1517172829.804:499): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.804:500): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.807:501): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SYSTEM_SHUTDOWN msg=audit(1517172829.807:502): pid=3653 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.808:503): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-random-seed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.810:504): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
node=localhost.localdomain type=DAEMON_CLOSE msg=audit(1517172829.848:13): addr=192.168.122.40 port=48118 res=success
node=localhost.localdomain type=SERVICE_STOP msg=audit(1517172864.462:3385): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=chronyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

The particular issue can be reproduced with auparse as well, like this:

ausearch --format csv -if auparse_normalize_failure.log

This was seen on Fedora 25 with the following packages installed:

audit-2.8.1-1.fc25.x86_64
audit-libs-devel-2.8.1-1.fc25.x86_64
audit-libs-2.8.1-1.fc25.x86_64

Response from Steve Grubb from the audit team was:

The event from the kernel is messed up. You can try asking on the
linux-audit mail list because they think I'm the only one seeing
problems. And there is also github issues:

linux-audit/audit-kernel#25
linux-audit/audit-kernel#35

These have been open for about a year with no real movement. I don't
know if there is anything you can do to highlight that we need these
fixed ASAP.

[rgbriggs]

This is essentially a duplicate of issue 25 and issue 35. I recommend close as duplicate.

[spbnick]

@rgbriggs Hmm, I don't think I follow. To me those issues don't look related at all. Could you elaborate, please?

[rgbriggs]

On 2018-03-18 06:22, Nikolai Kondrashov wrote: @rgbriggs Hmm, I don't think I follow. To me those issues don't look related at all. Could you elaborate, please?

Perhaps I misunderstood the goal of this issue report. Is there work expected by the scribery/aushape team to work around this or ignore it? Or is it to get Steve to stop the normalizer from complaining? Or is it expected that the kernel folks resolve ghak25/ghak35. Now that a number of other issues have been addressed and better understood I am optimistic ghak25/35 can be addressed which should resolve this scribery/aushape issue.

[spbnick]

I think the solution to this on aushape side should be to fail generating the normalized data, and mark the partially-converted JSON object with an error. I would, of course, like this resolved on the audit or kernel side, but I expect things like this will keep happening, so aushape will need to handle it anyway, and it can start with handling this case while it's being resolved.