ausearch results differ with "-i" flag
John Dennis
jdennis at redhat.com
Wed Mar 17 18:49:38 UTC 2010
On 03/17/2010 01:03 PM, Steve Grubb wrote:
> On Tuesday 16 March 2010 06:18:26 pm LC Bruzenak wrote:
>> I am doing an ausearch and noticed that with the "-i" flag the "comm="
>> field appears to lose the data.
>> The bad thing is that this appears inside the "msg=" string, and I feel
>> that it shouldn't be interpreting those values anyway.
>>
>> I saw that the audit-viewer does parse out the "comm=" field correctly
>> when I look at the same event.
>>
>> First the event without the "-i" flag:
>> ----
>> time->Tue Mar 16 21:53:50 2010
>> node=jcdx type=USER_AVC msg=audit(1268776430.236:6808): user pid=2835
>> uid=0 auid=4294967295 ses=4294967295
>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>> { write } for request=X11:PolyRectangle comm=MLTracks resid=5d
>> restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511
>> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
>> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>> terminal=?)'
>> ----
>
> comm's value should be in double-quotes unless it has special characters and
> then it should be hex encoded. The reason being is comm could have a white
> space in its name .
Why would white space inside a quoted string cause it to be hex encoded?
Maybe my memory is fuzzy and I haven't been carefully tracking the audit
changes lately. String values never used to be quoted, right? When did
quotes get added? Did we add quotes around strings but preserve the hex
encoding for strings? That would mean even though strings are marked as
strings by virtue of being quoted you still need a hard coded list of
what fields are strings so you can test for unadorned hex encoding if
the quote is absent. If quotes were added then the unadorned hex
encoding format could have dropped because standard string escapes could
have been used inside a quoted string. What happened to the position
that changing audit output from the kernel was verboten?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Linux-audit
mailing list