[PATCH] Fix acct quoting in audit_log_acct_message())
John Dennis
jdennis at redhat.com
Wed Mar 5 14:11:02 UTC 2008
John Dennis wrote:
> Eric Paris wrote:
>> it needs to stay an untrusted string, but its name, well yeah, that
>> doesn't tell us a whole lot, does it?
>
> It's the untrusted string code which is the primary culprit. If we fixed
> audit so that *all* strings written by audit are formatted by exactly
> one string formatting routine and that routine is sane then 99.99% of
> the problems would go away. That was the thrust of my original email and
> what I was most concerned about. Perhaps unfortunately the email
> included some optional suggestions which is what some folks latched onto
> obscuring the real issue.
I'm including a link to the original mail for reference.
https://www.redhat.com/archives/linux-audit/2008-January/msg00082.html
The primary problem is the inconsistent use of quotes around string
values with the result it's impossible to know if a string value should
have hexadecimal decoding performed on it. Currently the only way to
solve the problem is to have a table of every audit message and field
and to have such a table for every kernel version.
Of secondary concern is the fact hexadecimal encoded strings are not
human readable whereas more conventional string escapes preserve
readbility (to varying degrees).
--
John Dennis <jdennis at redhat.com>
More information about the Linux-audit
mailing list