Cooked audit log format

John Dennis jdennis at redhat.com
Thu May 15 15:59:33 UTC 2008 

Steve Grubb wrote:
> On Thursday 15 May 2008 06:28:15 Tony Jones wrote:
>> On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
>>>> Strings should be either always hex encoded, or always escaped
>>>> (preferably the latter).
>>> The issue that always dominates any thinking about the audit system is
>>> how to save diskspace. So, whenever a string has no naughty characters,
>>> we let it go as is. If the string contains something that will confuse
>>> the parser or do other bad things, we encode the string such that the
>>> parser cannot be confused. But we only do that on demand because the
>>> majority of strings are well-behaved.
>> Are you talking here about the escaping that is performed inside of auditd?
>> If so, IMO, this seriously needs to be reworked. The way it works (encoding
>> the entire string rather than just escapinng the offending characters)
>> doesn't make sense plus it's very inefficient in terms of implementation. I
>> mentioned this to you in private mail at the time of the buffer overflow
>> advisory. I'm happy to work on a patch but it's always possible I'm missing
>> some design subtlety ;-)
> 
> Before sending a patch, it has to be backwards compatible. IOW, there is no 
> guarantee that someone will update user space tools and run an old kernel or 
> use a new kernel with old tools. There's no way to enforce this and people 
> will expect their tools to work.
> 
> Also note that the hex string encoding is used to encode some data structures, 
> so you would need to be judicious in which fields use whatever encoding.
> 
> About the scheduling of such a patch, I wouldn't want to merge the patch until 
> the remote logging is complete.  (Its the last scheduled feature of the 
> current development series.) After that point, I think we are at the 
> branching point for big changes again.

String encoding is broken. Preserving backward compatibility with an 
unusable format does not make much sense. The sooner it gets fixed the 
better and the less the overall pain will be.

It's broken, it's needs to be fixed, end of story.

-- 
John Dennis <jdennis at redhat.com>

More information about the Linux-audit mailing list