man praudit(1) says -n Do not convert user and group IDs to their names but leave in their numeric forms. yet this doesn't seem to work. uids are still resolved to names. This is unhelpful when audit files are shipped to other machines. example: cat <audit file> | praudit -n header_ex,131,11,execve(2),0,10.4.15.10,Tue Oct 22 06:00:14 2024, + 43 msec exec arg,wc,-l path,/usr/bin/wc attribute,555,root,wheel,3566801450,67953,0 subject,-1,root,wheel,root,wheel,48335,0,0,0.0.0.0 return,success,0 trailer,131 # freebsd-version -ukr 14.1-RELEASE 14.1-RELEASE 14.1-RELEASE-p2
Indeed, this is a bug in openbsm. praudit's -n flag sets AU_OFLAG_NORESOLVE which is documented as avoiding resolution by au_print_flags_tok(), but the flag was in fact not tested anywhere. https://github.com/search?q=repo%3Aopenbsm%2Fopenbsm%20au_oflag_noresolve&type=code Can you try the patch in https://reviews.freebsd.org/D47263?
Tested on 14.1. Works fine, thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ba10bfe509dcb5d408de89c886527035068b8f17 commit ba10bfe509dcb5d408de89c886527035068b8f17 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-10-23 12:25:29 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-11-03 18:37:24 +0000 libbsm: honour AU_OFLAG_NORESOLVE AU_OFLAG_NORESOLVE is documented as "Leave user and group IDs in their numeric form" but it was not actually tested. OpenBSM pull request at https://github.com/openbsm/openbsm/pull/85 PR: 282271 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47263 contrib/openbsm/libbsm/bsm_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6abc57ceb6a0af92ec86d95ba3bca0c396624c90 commit 6abc57ceb6a0af92ec86d95ba3bca0c396624c90 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-10-23 12:25:29 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-11-12 13:40:05 +0000 libbsm: honour AU_OFLAG_NORESOLVE AU_OFLAG_NORESOLVE is documented as "Leave user and group IDs in their numeric form" but it was not actually tested. OpenBSM pull request at https://github.com/openbsm/openbsm/pull/85 PR: 282271 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47263 (cherry picked from commit ba10bfe509dcb5d408de89c886527035068b8f17) (cherry picked from commit 914752d0f7f874ab4fc8393aee28c22df87324f2) contrib/openbsm/libbsm/bsm_io.c | 4 ++-- usr.sbin/praudit/tests/input/numeric_form | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=92a324a151ceef49cf52d33e9e30038f6459629a commit 92a324a151ceef49cf52d33e9e30038f6459629a Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2024-10-23 12:25:29 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-11-12 13:44:47 +0000 libbsm: honour AU_OFLAG_NORESOLVE AU_OFLAG_NORESOLVE is documented as "Leave user and group IDs in their numeric form" but it was not actually tested. OpenBSM pull request at https://github.com/openbsm/openbsm/pull/85 PR: 282271 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47263 (cherry picked from commit ba10bfe509dcb5d408de89c886527035068b8f17) (cherry picked from commit 914752d0f7f874ab4fc8393aee28c22df87324f2) (cherry picked from commit 6abc57ceb6a0af92ec86d95ba3bca0c396624c90) contrib/openbsm/libbsm/bsm_io.c | 4 ++-- usr.sbin/praudit/tests/input/numeric_form | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)