[patch] Syscall auditing - move "name=" field to the end
Klaus Weidner
klaus at atsec.com
Thu Mar 17 19:45:41 UTC 2005
On Thu, Mar 17, 2005 at 10:30:24AM -0800, Chris Wright wrote:
> We need to do something, as it is the data can't be trusted. It's a way
> for user to possibly inject false audit messages. And most characters
> are valid in pathnames.
We had this discussion a couple of weeks ago when we were talking about a
parseable format for audit records, but I think we didn't reach a
consensus back then.
I had proposed back then to use backslash escaping for newline, tab,
single quotes, and backslashes, and octal escapes for control characters
- that's fairly unobtrusive for normal filenames. You could add quotes to
the list of escaped characters if the strings are printed as quoted
strings.
-Klaus
void
print_escaped_string(FILE *out, const char *txt)
{
for (;*txt;++txt) {
switch(*txt) {
case '\n':
putc('\\', out);
putc('n', out);
break;
case '\t':
putc('\\', out);
putc('t', out);
break;
case '\'':
case '\\':
putc('\\', out);
putc(*txt, out);
break;
default:
if (*txt<32) {
fprintf(out, "\\%03o", *txt);
} else {
putc(*txt, out);
}
}
}
}
More information about the Linux-audit
mailing list