From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id k1GKWRXf002456 for ; Thu, 16 Feb 2006 15:32:27 -0500 (EST) Received: from e3.ny.us.ibm.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id k1GKWO8P020173 for ; Thu, 16 Feb 2006 20:32:24 GMT Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by e3.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id k1GKWPnY006162 for ; Thu, 16 Feb 2006 15:32:25 -0500 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay02.pok.ibm.com (8.12.10/NCO/VERS6.8) with ESMTP id k1GKWPG2211956 for ; Thu, 16 Feb 2006 15:32:25 -0500 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11/8.13.3) with ESMTP id k1GKWPHA028110 for ; Thu, 16 Feb 2006 15:32:25 -0500 Subject: Re: [RFC][PATCH] collect security labels on user processes generating audit messages From: "Timothy R. Chavez" To: "Lamont R. Peterson" Cc: Linux Audit Discussion , SELinux In-Reply-To: <200602161203.31552.lrp@xmission.com> References: <200602151122.37945.sgrubb@redhat.com> <43F36244.7040000@hp.com> <200602161203.31552.lrp@xmission.com> Content-Type: text/plain Date: Thu, 16 Feb 2006 14:44:48 -0600 Message-Id: <1140122688.29636.16.camel@localhost> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Thu, 2006-02-16 at 12:03 -0700, Lamont R. Peterson wrote: > On Wednesday 15 February 2006 10:17am, Linda Knippers wrote: > > Steve Grubb wrote: > > > This should be a separate thread since the topic is different. > > > > > > On Wednesday 15 February 2006 11:14, Linda Knippers wrote: > > >>Amy submitted a patch a while back to eliminate the "name=" field > > >>to avoid "name=(null)" from the audit records if there was no name > > >>but I don't think the patch went anywhere. > > > > > > Right. I want all audit fields to have name=value. If we have %s in the > > > message and pass NULL to it, snprintf is already going to put "(null)" so > > > what's wrong with just using this precedent? > > > > The problem is that "(null)" is a valid file name. > > > > [ljk@cert-e2 ~]$ touch "(null)" > > [ljk@cert-e2 ~]$ ls -l "(null)" > > -rw-rw-r-- 1 ljk ljk 0 Feb 17 11:14 (null) > > > > When I look at audit records generated by those commands I see records > > like this: > > > > type=SYSCALL msg=audit(1140192875.311:3789): arch=c000003e syscall=132 > > success=yes exit=0 a0=7fbffffc51 a1=0 a2=1b6 a3=0 items=1 pid=2116 > > auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 > > fsgid=501 comm="touch" exe="/bin/touch" > > type=CWD msg=audit(1140192875.311:3789): cwd="/home/ljk" > > type=PATH msg=audit(1140192875.311:3789): name="(null)" flags=1 > > inode=6537222 dev=fd:01 mode=0100664 ouid=501 ogid=501 rdev=00:00 > > > > How can I tell from the audit records that the file name was "(null)" > > vs. having "(null)" manufactured by the audit system? > > How about: > > type=PATH msg=audit(1140192875.311:3789): name=NULL flags=1 > > in cases where it truly is NULL? The double-quotes "" are used to quote > file-names and without them, we have some kind of meta-value, instead. > > [snip] The difference is too subtle. I imagine that will get confusing. What we use to represent a NULL value isn't as important is how we distinguish it. For instance, simply encoding "NULL" the filename will make the distinction between 'name=NULL' and name="NULL" (name="78857676") , clearer. If we "strongly suggest" the admin use ausearch to read the log, then we could let ausearch make the distinction between quoted and unquoted NULL's clearer, rather than the kernel. -tim -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.