[PATCH] TaskTracker : Simplified thread information tracker.
Steve Grubb
sgrubb at redhat.com
Sat Sep 27 15:40:27 UTC 2014
Hello,
On Sun, 28 Sep 2014 00:13:14 +0900
Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp> wrote:
> Steve Grubb wrote:
> > On Sat, 27 Sep 2014 10:02:44 +0900
> > Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp> wrote:
> >
> > > May I continue proposing this functionality?
> >
> > From the audit perspective, sure. I think we were expecting a
> > revised patch after the comments. Other groups may have different
> > thoughts, though.
> >
> > -Steve
>
> OK, thank you. Before posting a revised patch, can I hear answers
> about specification questions listed below?
Sure.
> (Q1) Where can I find which bytes in $value need to be escaped when
> emitting a record like name='$value' ?
I have written a specification that describes how to write well formed
audit events to help with questions like this. You can find it here:
http://people.redhat.com/sgrubb/audit/audit-events.txt
If you know that a field is under user control, it must be escaped so
that they cannot try to trick the parser.
> Is 0x20 in $value permitted?
No. That is the separator between fields, so it cannot be allowed. What
we suggest is to use a dash or hyphen between if you are logging a
phrase that cannot be altered by the user. For example, you may have an
op field saying it deleted a rule. You would do it as op=rule-deleted.
However, we do not suggest that for user controlled fields. Just escape
it by calling audit_log_untrustedstring() if in the kernel. There are
examples in the page I mention above.
> (Q2) Does auxiliary record work with only type=SYSCALL case?
Auxiliary records compliment a syscall record by adding extra
information. PATH, IPC, CWD, and EXECVE are some examples. They get
emitted in audit_log_exit() if you wanted to look at them in more
detail.
HTH...
-Steve
More information about the Linux-audit
mailing list