Re: [PATCH] Fix acct quoting in audit_log_acct_message())

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Miloslav Trmac <mitr@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Date: Wed, 05 Mar 2008 14:55:12 +0100	[thread overview]
Message-ID: <47CEA640.7090903@redhat.com> (raw)

Tomas Mraz napsal(a):
> This proposal is just for starting the discussion.
> 
> 1. Messages contain <name>=<value> pairs separated by spaces.
> 2. All <names> are just alphanumeric sequences.
> 3. Values can be either:
>  a) byte sequences with the following special characters encoded as %XX
> where XX is hexadecimal value of the encoded byte. Special characters
> are: bytes with value <= 0x20 or >= 0x7F, '%', '(', ')', and '='.
Perhaps we should reserve more characters for future features - at least
'"', '\'' and '\\', maybe everything but [a-zA-Z0-9_-].

 From the previous thread - the currently used hexadecimal format is
good for non-ASCII data (2 characters per byte instead of 3 bytes);  It
probably won't be better for most messages - perhaps it should be left
as a third alternative, e.g. \xaa55abcdef.

One more proposal:
4. If a value is undefined, the name=value pair is not present.  Special
    values ("?", "(null)", "") are never used to represent unknown
    field values.

>  b) recursively embedded messages enclosed in '(' and ')' parentheses.

> type=USER_START msg=audit(1204632061.112:32361): user pid=10902 uid=0
> auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct=root exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
> 
> becomes:
> 
> type=USER_START msg=(audit=1204632061.112:3236 src=user pid=10902 uid=0
> auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg=(op=PAM:session_open acct=root exe=/usr/sbin/crond hostname=? addr=?
> terminal=cron res=success))
[Should there be only one trailing )? ]  Using "msg" for both the kernel
and user-space part is ambiguous - perhaps "kmsg"/"umsg" or just
"k"/"u"?  Or, preferably, don't nest the kernel fields at all - the
nesting carries no information.

> type=AVC msg=audit(1204601533.621:32307): avc:  denied  { read write }
> for  pid=9822 comm="tmpwatch" path="socket:[14038]" dev=sockfs ino=14038
> scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
> 
> becomes:
> 
> type=AVC msg=(audit=1204601533.621:32307 src=avc kind=denied
> acts=read:write pid=9822 comm=tmpwatch path=socket:[14038] dev=sockfs
> ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket)
(auparse already defines names for some of the fields, the names should
be reused.)
	Mirek

next             reply	other threads:[~2008-03-05 13:55 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-05 13:55 Miloslav Trmac [this message]
2008-03-05 14:11 ` [PATCH] Fix acct quoting in audit_log_acct_message()) Tomas Mraz
2008-03-05 15:04   ` John Dennis
2008-03-05 15:21     ` Tomas Mraz
2008-03-05 15:29       ` Steve Grubb
  -- strict thread matches above, loose matches on Subject: below --
2008-03-04  3:50 Miloslav Trmac
2008-03-04 15:07 ` John Dennis
2008-03-04 18:10   ` Tomas Mraz
2008-03-04 18:29     ` John Dennis
2008-03-04 19:05       ` Eric Paris
2008-03-05  4:02         ` Valdis.Kletnieks
2008-03-05 13:15           ` Eric Paris
2008-03-04 18:56     ` Steve Grubb
2008-03-04 19:08       ` Miloslav Trmac
2008-03-04 19:28         ` Steve Grubb
2008-03-04 19:15       ` Eric Paris
2008-03-04 20:41         ` John Dennis
2008-03-04 20:29       ` John Dennis
2008-03-04 20:36         ` Tomas Mraz
2008-03-04 20:57           ` John Dennis
2008-03-04 20:43         ` Eric Paris
2008-03-04 20:52           ` Steve Grubb
2008-03-04 21:21           ` John Dennis
2008-03-04 21:38             ` Steve Grubb
2008-03-04 21:55               ` Eric Paris
2008-03-04 22:03                 ` Eric Paris
2008-03-04 22:18                   ` Steve Grubb
2008-03-04 22:32                   ` John Dennis
2008-03-05 14:11                     ` John Dennis
2008-03-04 22:14                 ` Steve Grubb
2008-03-04 22:21                   ` Eric Paris
2008-03-04 23:00                     ` Steve Grubb
2008-03-09 18:36 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47CEA640.7090903@redhat.com \
    --to=mitr@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.