What were you trying to do that didn't work?

When a program such as passwd or su sends the USER_ACCT event, neither the hostname= nor addr= fields are populated:

type=USER_ACCT msg=audit(02/07/2025 09:14:05.857:222) : pid=1770 uid=root auid=root ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct=root exe=/usr/bin/su hostname=? addr=? terminal=/dev/pts/0 res=success' 

There are 2 reasons for getting this behavior:

1. The addrbuf variable is resolved before host, hence at a time host is still set to NULL as function parameter of audit_log_acct_message() (line 457, then 478):

   431 int audit_log_acct_message(int audit_fd, int type, const char *pgname,
   432         const char *op, const char *name, unsigned int id, 
   433         const char *host, const char *addr, const char *tty, int result)
   434 {
    :
   450         /* If hostname is empty string, make it NULL ptr */
   451         if (host && *host == 0)
   452                 host = NULL;
   453 
   454         /* See if we can deduce addr */
   455         addrbuf[0] = 0;
   456         if (addr == NULL || strlen(addr) == 0)
   457                 _resolve_addr(addrbuf, host);
   458         else
   459                 strncat(addrbuf, addr, sizeof(addrbuf)-1);
    :
   476         /* Get the local name if we have a real tty */
   477         if (host == NULL && tty)
   478                 host = _get_hostname(tty);
    :
   

2. The host variable resolution is broken on RHEL9, because it expects to match pts/X instead of also expecting to match /dev/pts/X: (lines 244-246)

   242 static const char *_get_hostname(const char *ttyn)
   243 {       
   244         if (ttyn && ((strncmp(ttyn, "pts", 3) == 0) ||
   245                 (strncmp(ttyn, "tty", 3) == 0) ||
   246                 (strncmp(ttyn, "/dev/tty", 8) == 0) )) {
   247                 if (_host[0] == 0) {
   248                         gethostname(_host, HOSTLEN);
   249                         _host[HOSTLEN - 1] = 0;
   250                 }       
   251                 return _host;
   252         }
   253         return NULL;
   254 }       
   

   This is regression compared to RHEL8 due to the fact that the tty function parameter is not pts/X but /dev/pts/X on RHEL9:

   RHEL8:
   Breakpoint 1, audit_log_acct_message (audit_fd=audit_fd@entry=4, type=type@entry=1100, pgname=pgname@entry=0x0, 
       op=0x55cbe2320b70 "PAM:authentication grantors=pam_rootok", name=0x55cbe2303fc0 "root", id=id@entry=4294967295, 
       host=0x0, addr=0x0, tty=0x55cbe2304160 "pts/0", result=1) at audit_logging.c:434
   
   RHEL9:
   Breakpoint 1, audit_log_acct_message (audit_fd=audit_fd@entry=3, type=type@entry=1100, pgname=pgname@entry=0x0, 
       op=0x5576042a0e20 "PAM:authentication grantors=pam_rootok", name=0x557604289540 "root", id=id@entry=4294967295, 
       host=0x0, addr=0x0, tty=0x557604289670 "/dev/pts/0", result=1)
       at /usr/src/debug/audit-3.1.5-3.el9.host+addr.x86_64/lib/audit_logging.c:434
   

What is the impact of this issue to you?

Audit lines contain "?" values.

Please provide the package NVR for which the bug is seen:

audit-3.1.5-1.el9 (RHEL9.5)
audit-3.1.5-3.el9 (RHEL9.6)

How reproducible is this bug?:

Always

Steps to reproduce

1. Login then execute su

Expected results

All fields populated for USER_ACCT event.

Actual results

Neither hostname nor addr fields populated.

Suggested fix

See host+addr.patch attachment.
Note that the fix could be considered as not complete, because there will still be some USER_ACCT events not having fields resolved, such as systemd.
This is because the hostname is only resolved when having a TTY.
I would suggest that this be enhanced as well: the more fields are populated, the better, for people reviewing audit logs.