Backwards-compatible string encoding
Joshua Roys
joshua.roys at gtri.gatech.edu
Thu Apr 9 19:55:48 UTC 2009
On 03/27/2009 12:41 PM, John Dennis wrote:
> Strings should be formatted as strings which means enclosed in double
> quotes with standard C99 escaping.
>
> As it stands now the audit libraries have hard coded lists of every
> field the kernel can emit in an audit message. The test for decoding hex
> strings is based on whether the field is known to be a string. Field
> values *never* currently begin with a quote. If the kernel audit code
> was modified to format strings such that they are always enclosed in
> quotes the following positive things would occur:
>
> * No need for hard coded list of which fields are string values.
>
> * As long as the audit libraries are used for parsing it's fully
> backwards compatible (because during parsing you first look for a quote,
> if it's there you know its a string value, otherwise fall back to the
> legacy logic).
>
> * Strings are always human readable and it's obvious what is a string.
>
> * C99 string encoding is trivial and extremely efficient so there is no
> burden on the kernel.
>
> All in all a win/win situation.
>
>
>
Hello all,
The following is to provoke discussion; this is an issue I would like to
see fixed, and I have the time to work on it at present.
Attached is a C program that has 2 output formats depending on a global
flag (you can change the flag by incrementing argc). I use it to
demonstrate 2 options, but if one were picked, it could be used to
preserve backwards compatibility via a proc file. The binary format and
API are inspired from both an email by Paul Moore:
https://www.redhat.com/archives/linux-audit/2008-January/msg00087.html
extprot, a self-describing binary encoding:
http://eigenclass.org/R2/writings/extprot-extensible-protocols-intro
and some SSH buffer management code I wrote. Oh, and it should look
suspiciously similar to some current audit code.
The text output is basically what John Dennis was looking for, I think.
Although I don't quote numbers or do any radix prefixing right now.
Anyway. Comments? Anything I should change? Is this worth pursuing at
all (does something like this have any hope of being integrated)?
$ gcc testformat.c
$ ./a.out
(binary display via xxd)
$ ./a.out q
(text output)
One last thing: as you can see, the 3rd key/value pair msg='...' has
key/value pairs inside it, kind of like the current setup where audit
gets stuff from other code. It has a k/v user_said=\'...\'...\' with a
quote in the middle. Basically, I would also like to being some sanity
to users of audit, even though that may be insanely difficult, as has
been mentioned. Perhaps only exposing the k/v interface to them.
Something. Anything.
Thanks,
Joshua Roys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testformat.c
Type: text/x-csrc
Size: 6478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090409/e1157da6/attachment.bin>
More information about the Linux-audit
mailing list