[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] Syscall auditing - move "name=" field to the end



Steve & Debora where cooperating on audit library functions to
handle this issue: text formatting, string escape and so on.
Can this work be resurrected? Now that Debora can contribute the code.


Mounir Bsaibes
Linux Security
Tel:  (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes us ibm com

linux-audit-bounces redhat com wrote on 03/17/2005 11:57:03 AM:

> * David Woodhouse (dwmw2 infradead org) wrote:
> > On Wed, 2005-03-16 at 14:41 -0800, Chris Wright wrote:
> > > * Ondrej Zary (linux rainbow-software org) wrote:
> > > > This patch moves the "name=" field to the end of audit records. 
The 
> > > > original placement is bad because it cannot be properly parsed. It 
is 
> > > > impossible to tell if the name is "/bin/true" or "/bin/true 
> inode=469634 
> > > > dev=00:00" because the "inode=" and "dev=" fields can be omitted.
> > 
> > Consider: 
> > 
> > open("/bin/true\naudit(1111008484.824:89346): ...", O_RDONLY);
> > 
> > I don't think this patch is enough -- either we need to escape the 
text
> > completely or just dump it as hex instead of a string. One option 
would
> > be to dump it in quotes as a string if all chars in the string are in
> > the range 0x20-0x7e, and as hex otherwise. That slightly complicates 
the
> > parsing, but not by much, and still gives you plain text in the 
majority
> > of cases while protecting against abuse.
> 
> Yes good point.  I don't have a strong preference.  Steve, are you
> working on processing log data, do you have a preference?
> 
> thanks,
> -chris
> -- 
> Linux Security Modules     http://lsm.immunix.org http://lsm.bkbits.net
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]