[patch] Syscall auditing - move "name=" field to the end
Timothy R. Chavez
tinytim at us.ibm.com
Thu Mar 17 18:34:59 UTC 2005
On Thursday 17 March 2005 12:30 pm, Chris Wright wrote:
> * Kris Wilson (krisw at us.ibm.com) wrote:
> > > I don't think this patch is enough -- either we need to escape the text
> > > completely or just dump it as hex instead of a string. One option would
> > > be to dump it in quotes as a string if all chars in the string are in
> > > the range 0x20-0x7e, and as hex otherwise. That slightly complicates
> > > the parsing, but not by much, and still gives you plain text in the
> > > majority of cases while protecting against abuse.
> >
> > Dumping in hex instead of string would have a testing impact. Using a
> > string in quotes would be a
> > smaller hit, but there still would be additional impact to test the "hex
> > otherwise" case.
>
> We need to do something, as it is the data can't be trusted. It's a way
> for user to possibly inject false audit messages. And most characters
> are valid in pathnames.
>
> thanks,
> -chris
Let's rewrite Linux. J/K. But all jokes aside, can't we just log out the
length of the name= field with the rest of the record, ie: name_len=7
name=linux\n\0?
-tim
More information about the Linux-audit
mailing list