[PATCH] selinux: print leading 0x on ioctlcmd audits

William Roberts bill.c.roberts at gmail.com
Thu Jul 14 23:33:31 UTC 2016 

On Thu, Jul 14, 2016 at 4:18 PM, William Roberts <bill.c.roberts at gmail.com>
wrote:

>
>
> On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore <paul at paul-moore.com> wrote:
>
>> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts at intel.com> wrote:
>> > From: William Roberts <william.c.roberts at intel.com>
>> >
>> > ioctlcmd is currently printing hex numbers, but their is no leading
>> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
>> > not evident.
>> >
>> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
>> ioctlcmd=0x1234.
>> >
>> > Signed-off-by: William Roberts <william.c.roberts at intel.com>
>> > ---
>> >  security/lsm_audit.c | 2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>>
>> Like it or not, I believe the general standard/convention when it
>> comes to things like this is to leave off the "0x" prefix; the idea
>> being that is saves precious space in the audit logs and the value is
>> only ever going to be in hex anyway.
>>
>
> Is it always in hex, what about pid?
>

Outside of escaped untrusted input, everything I see is printed in base10.
But if its convention that "you should just know", I am fine
with that too, its just that it wasn't self evident in the logs, and the
first time I encountered it their was no documentation or tooling
supporting it.


>
>>
>> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
>> > index cccbf30..82e4dbb 100644
>> > --- a/security/lsm_audit.c
>> > +++ b/security/lsm_audit.c
>> > @@ -257,7 +257,7 @@ static void dump_common_audit_data(struct
>> audit_buffer *ab,
>> >                         audit_log_format(ab, " ino=%lu", inode->i_ino);
>> >                 }
>> >
>> > -               audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
>> > +               audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
>> >                 break;
>> >         }
>> >         case LSM_AUDIT_DATA_DENTRY: {
>> > --
>> > 1.9.1
>> >
>> > _______________________________________________
>> > Selinux mailing list
>> > Selinux at tycho.nsa.gov
>> > To unsubscribe, send email to Selinux-leave at tycho.nsa.gov.
>> > To get help, send an email containing "help" to
>> Selinux-request at tycho.nsa.gov.
>>
>> --
>> paul moore
>> www.paul-moore.com
>> _______________________________________________
>> Selinux mailing list
>> Selinux at tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave at tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request at tycho.nsa.gov.
>>
>
>
>
> --
> Respectfully,
>
> William C Roberts
>
>


-- 
Respectfully,

William C Roberts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160714/9bedb3cb/attachment.htm>

More information about the Linux-audit mailing list