[patch] Syscall auditing - move "name=" field to the end
Mounir Bsaibes
bsaibes at us.ibm.com
Thu Mar 17 19:59:47 UTC 2005
Steve & Debora where cooperating on audit library functions to
handle this issue: text formatting, string escape and so on.
Can this work be resurrected? Now that Debora can contribute the code.
Mounir Bsaibes
Linux Security
Tel: (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes at us.ibm.com
linux-audit-bounces at redhat.com wrote on 03/17/2005 11:57:03 AM:
> * David Woodhouse (dwmw2 at infradead.org) wrote:
> > On Wed, 2005-03-16 at 14:41 -0800, Chris Wright wrote:
> > > * Ondrej Zary (linux at rainbow-software.org) wrote:
> > > > This patch moves the "name=" field to the end of audit records.
The
> > > > original placement is bad because it cannot be properly parsed. It
is
> > > > impossible to tell if the name is "/bin/true" or "/bin/true
> inode=469634
> > > > dev=00:00" because the "inode=" and "dev=" fields can be omitted.
> >
> > Consider:
> >
> > open("/bin/true\naudit(1111008484.824:89346): ...", O_RDONLY);
> >
> > I don't think this patch is enough -- either we need to escape the
text
> > completely or just dump it as hex instead of a string. One option
would
> > be to dump it in quotes as a string if all chars in the string are in
> > the range 0x20-0x7e, and as hex otherwise. That slightly complicates
the
> > parsing, but not by much, and still gives you plain text in the
majority
> > of cases while protecting against abuse.
>
> Yes good point. I don't have a strong preference. Steve, are you
> working on processing log data, do you have a preference?
>
> thanks,
> -chris
> --
> Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list