[PATCH] selinux: print leading 0x on ioctlcmd audits

Paul Moore pmoore at redhat.com
Fri Jul 15 19:02:51 UTC 2016


On Fri, Jul 15, 2016 at 2:54 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
>> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
>> From: Paul Moore <paul at paul-moore.com>
>> To:   william.c.roberts at intel.com
>> CC:   selinux at tycho.nsa.gov, seandroid-list at tycho.nsa.gov, Stephen Smalley
>> <sds at tycho.nsa.gov>, Me, linux-audit at redhat.com Date: Yesterday 6:17 PM
>>
>> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts at intel.com> wrote:
>> > From: William Roberts <william.c.roberts at intel.com>
>> >
>> > ioctlcmd is currently printing hex numbers, but their is no leading
>> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
>> > not evident.
>> >
>> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
>> > ioctlcmd=0x1234.
>> >
>> > Signed-off-by: William Roberts <william.c.roberts at intel.com>
>> > ---
>> > security/lsm_audit.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>>
>> Like it or not, I believe the general standard/convention when it
>> comes to things like this is to leave off the "0x" prefix; the idea
>> being that is saves precious space in the audit logs and the value is
>> only ever going to be in hex anyway.
>
> We normally like the 0x prefix on anything that is hex so that stroul can figure
> it out itself. And since AVC's should in theory be rare or occassional, log
> space is not a concern.
>
> That said, what is this ioctlcmd field name? Is this the ioctl number? As in
> syscall arg a1? If so, it should be hooked up to the interpretation for that.
>
> Also, we have a field dictionary with some basic info about each field used in
> audit events:
>
> http://people.redhat.com/sgrubb/audit/field-dictionary.txt

Correction, that file now lives at the link below, the file on Steve's
people page is deprecated.

https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv

> This is important so that people don't make up new ones that do the same
> thing. The ioctlcmd field name should be recorded. Are there more that need
> documenting?

Steve/William, one of you want to send a patch/PR for the field dictionary?

-- 
paul moore
security @ redhat




More information about the Linux-audit mailing list