Bug: error thrown in /usr/local/libexec/truenas_audit_handler.py (25.10.2.1)

In 25.10.2.1 an error is thrown sometimes when a cron job is executed:

timeREDACTED nas CRON\[181341\]: (root) CMD (PATH=“/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin” midclt call cronjob.run 4 true > /dev/null 2> /dev/null)

timeREDACTED nas truenas_audit_handler.py\[178074\]: Traceback (most recent call last):
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 774, in 
timeREDACTED nas truenas_audit_handler.py\[178074\]:     main()
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 770, in main
timeREDACTED nas truenas_audit_handler.py\[178074\]:     loop.run_until_complete(handler.run())
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/lib/python3.11/asyncio/base_events.py”, line 654, in run_until_complete
timeREDACTED nas truenas_audit_handler.py\[178074\]:     return future.result()
timeREDACTED nas truenas_audit_handler.py\[178074\]:            ^^^^^^^^^^^^^^^
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 723, in run
timeREDACTED nas truenas_audit_handler.py\[178074\]:     await self.handle_auditd_msg()
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 709, in handle_auditd_msg
timeREDACTED nas truenas_audit_handler.py\[178074\]:     await self.send_completed(\*completed)
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 671, in send_completed
timeREDACTED nas truenas_audit_handler.py\[178074\]:     json_data = audit_entry_to_json(msgid, data)
timeREDACTED nas truenas_audit_handler.py\[178074\]:                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 589, in audit_entry_to_json
timeREDACTED nas truenas_audit_handler.py\[178074\]:     \__generate_event_data(entry, to_write\[‘TNAUDIT’\])
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 516, in \__generate_event_data
timeREDACTED nas truenas_audit_handler.py\[178074\]:     if (new_event_data := \__parse_raw_msg(item, data_out\[‘event_data’\])) is not None:
timeREDACTED nas truenas_audit_handler.py\[178074\]:                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 490, in \__parse_raw_msg
timeREDACTED nas truenas_audit_handler.py\[178074\]:     return \__parse_pam(msg_type, parts)
timeREDACTED nas truenas_audit_handler.py\[178074\]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
timeREDACTED nas truenas_audit_handler.py\[178074\]:   File “/usr/local/libexec/truenas_audit_handler.py”, line 441, in \__parse_pam
timeREDACTED nas truenas_audit_handler.py\[178074\]:     key, value = item.split(‘=’, 1)
timeREDACTED nas truenas_audit_handler.py\[178074\]:     ^^^^^^^^^^
timeREDACTED nas truenas_audit_handler.py\[178074\]: ValueError: not enough values to unpack (expected 2, got 1)

The audit message that triggers this looks like this (I think the issue is with hostname=Unix socket, it’s treated as 2 values):

type=USER_AUTH msg=audit(REDACTED): pid=1617 uid=0 auid=REDACTED ses=REDACTED subj=unconfined msg='op=PAM:authentication grantors=pam_access acct="root" exe="/usr/bin/python3.11" hostname=UNIX socket (pid=548287 uid=0 gid=0) addr=? terminal=? res=success'UID="root" AUID="unset" UID="root" GID="root"

To silence the error I used this hack:

--- /usr/local/libexec/truenas_audit_handler.broken.py
+++ /usr/local/libexec/truenas_audit_handler.py 
@@ -438,6 +438,8 @@

     # Everything after pam function is variable
     for item in msg_parts[AuditMsgPamBase.FUNCTION.idx + 1:]:
+        if item == "socket":
+            continue
         key, value = item.split('=', 1)

         if value[0] == '"':

If you have what you believe to be a bug, use the Report a Bug (smile icon in GUI) or Report a Bug on the top, upper right of the forum. Submit a debug dump also along with all the details.

Tried to use that, but when I click on “+ Create” it says I’m not logged in (but I can see the profile and settings links in the top right side). I gave up after 10minutes of trying to create the bug report.

Tried to use what, the GUI or the Forum link?

The Jira app on https ://ixsystems.atlassian.net/jira/. I haven’t tried from web GUI yet.

Sending the bug report from GUI worked (NAS-140373). Thanks.

Same issue. This bug was closed, can you create again or just submit a pull request at Github?

NAS-140373 was closed because it didn’t have a Debug dump attached. If you can reproduce, open a ticket and make sure to upload a Debug Dump to the ticket.