Cooked audit log format
Tony Jones
tonyj at suse.de
Thu May 15 10:28:15 UTC 2008
On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
> > Strings should be either always hex encoded, or always escaped
> > (preferably the latter).
>
> The issue that always dominates any thinking about the audit system is how to
> save diskspace. So, whenever a string has no naughty characters, we let it go
> as is. If the string contains something that will confuse the parser or do
> other bad things, we encode the string such that the parser cannot be
> confused. But we only do that on demand because the majority of strings are
> well-behaved.
Are you talking here about the escaping that is performed inside of auditd? If
so, IMO, this seriously needs to be reworked. The way it works (encoding the
entire string rather than just escapinng the offending characters) doesn't
make sense plus it's very inefficient in terms of implementation. I mentioned
this to you in private mail at the time of the buffer overflow advisory. I'm
happy to work on a patch but it's always possible I'm missing some design
subtlety ;-)
thanks!
Tony
More information about the Linux-audit
mailing list