get_field_str() and interpret_field() bug with multi-word fields

Stephen Smalley sds at tycho.nsa.gov
Fri Aug 15 14:15:50 UTC 2008 

On Fri, 2008-08-15 at 15:58 +0200, Matteo Michelini wrote:
> I'm working on a binary format for the linux-audit system as part of a
> university research project.
> 
> The goal is having something similar to BSM trails.
> What do you think about it?

If your question is whether we would be ok with converting SELinux avc
messages and other SELinux audit messages to a binary format if the rest
of the audit system converted over to a binary format, then I think we'd
be fine with that as long as there was a system setting that preserved
the old text-based audit format for compatibility with existing
userland.  And obviously someone would have to do the work of converting
SELinux userland to either understand the new format or to always use
audit interfaces or utilities that internally convert the new binary
format to the old text-based format (e.g. audit2allow is typically fed
ausearch output, so as long as that remains text, audit2allow doesn't
have to care what the raw format is).

> 
> 2008/8/14, Stephen Smalley <sds at tycho.nsa.gov>:
> >
> > On Wed, 2008-08-13 at 13:25 -0300, Klaus Heinrich Kiwi wrote:
> >> On Wed, 2008-08-13 at 11:09 -0400, Eric Paris wrote:
> >> > HAHAHA, kernel output xml?  dream on   :)   I'm willing to do
> >> > wholesale
> >> > output changes, but something that heavy in kernel is impossible to
> >> > push.  I can just see Al cussing up a storm as he read that.
> >>
> >> That's exactly my point. There's no sense in discussing a 'ideal' format
> >> for audit stream coming out of the kernel, since it's well agreed
> >> (thankfully) that the kernel part should be as minimal as possible.
> >>
> >> I like Mathew's idea of having a binary format though. Maybe it's
> >> possible to carry the legacy format for some time while we have a more
> >> robust (and extensible) binary format in parallel? And then having a
> >> binary format version tag within each record?
> >>
> >> I know I know, at the time I have more questions than answers. I only
> >> wanted to express my feeling that there is indeed a problem with the
> >> current format.
> >>
> >> I know you and Steve tried before to talk with the SELinux guys trying
> >> to have a saner format for AVCs and stuff. Do you feel that's an
> >> impossible barrier to cross or maybe we try again and convince them that
> >> stricter formatting rules will bring more users for their audit data?
> >
> > If you want to ask the "SELinux guys", ask on the selinux at tycho.nsa.gov
> > list.  But in this case:  we've always been willing to take changes to
> > the AVC audit format; we have merely pointed out that it has to be done
> > in a way that provides full backward compatibility both in kernel and in
> > the userland, as we are not allowed to break existing userland with new
> > kernel and we'd like new userland to still work on old kernels.  Patches
> > that meet those standards accepted.
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> 
> 
-- 
Stephen Smalley
National Security Agency

More information about the Linux-audit mailing list