ausearch results differ with "-i" flag
Steve Grubb
sgrubb at redhat.com
Wed Mar 17 18:57:08 UTC 2010
On Wednesday 17 March 2010 02:49:38 pm John Dennis wrote:
> > comm's value should be in double-quotes unless it has special characters
> > and then it should be hex encoded. The reason being is comm could have a
> > white space in its name .
>
> Why would white space inside a quoted string cause it to be hex encoded?
Because someone could start a log injection attack. Comm is controlled by the
user which is untrusted. Although they are limited to 15 characters, it might
be enough to throw parsing off.
> Maybe my memory is fuzzy and I haven't been carefully tracking the audit
> changes lately. String values never used to be quoted, right?
When they are controlled by users, yes.
> When did quotes get added?
Back around 2005.
> Did we add quotes around strings but preserve the hex encoding for strings?
If the string starts with ", then its safe to parse as is. If not, it is
assumed to be hex-encoded.
> What happened to the position that changing audit output from the kernel was
> verboten?
This particular avc originates from user space. The application needs to
follow the rules correctly so it doesn't mess up the logs.
-Steve
More information about the Linux-audit
mailing list