[PATCH] Fix acct quoting in audit_log_acct_message())
Eric Paris
eparis at redhat.com
Tue Mar 4 21:55:20 UTC 2008
On Tue, 2008-03-04 at 16:38 -0500, Steve Grubb wrote:
> On Tuesday 04 March 2008 16:21:01 John Dennis wrote:
> > These are the encoded audit strings in kernel 2.6.24 (Fedora):
>
> Reorganized:
>
>
> Field 24 18 auparse
> a[0-9]+ X
> acct X
> cmd X
> comm X X X
> cwd X X X
> data X
> dir X X
> exe X X X
> file X
> key X X X
> msg X
> name X X X
> new X X
> old X X
> path X X X
> watch X
you formatting didn't come through, but we both agree auparse doesn't
get them all (for better or worse) and 2.6.24 only adds new stuff, it
doesn't remove?
> Of these, A0-4 is probably from the execve patch. I have no idea what the
> status of this patch is and if its upstream. I've not seen the records so
> this would be something very new.
execve could always turn A0-infinity into hex. And currently upstream
and RHEL5.2 kernels both can do so....
> acct & cmd is a userspace thing
>
> data, I need to go hunt this down. I don't like the name so it will probably
> need to change in the kernel
maybe audit tty stuff? I don't see it in auditsc.c or audit.c (just a
guess)
>
> msg, name collision it has to change wherever it is in the kernel
not sure what this means... I only see msg used in one place, but it is
a great example of non-standardization which should be cleaned up....
if (msg_type != AUDIT_USER_TTY)
audit_log_format(ab, " msg='%.1024s'",
(char *)data);
else {
int size;
audit_log_format(ab, " msg=");
size = nlmsg_len(nlh);
audit_log_n_untrustedstring(ab, size,
data);
}
The top case will surround these with '' which the bottom will surround
with ""
> new, old, these sound like bugs. They need to get fixed in the kernel
new and old are from audit config changes. Am i really expected to
trust what came down the netlink socket from userspace was sane? nope
nope nope. I don't trust userspace. Even though 10 times out of 10
these are going to be normal strings they need to remain calls to
untrusted string just in case.
>
> file & watch are probably legacy from RHEL4 I think. It can probably be
> deleted.
dont see them in my kernels
>
> -Steve
More information about the Linux-audit
mailing list