* hexified path in cwd audit message if dir no longer exists
[not found] <000301c78eae$ef9128f0$656fa8c0@centrify.com>
@ 2007-05-05 0:47 ` paul moore
2007-05-05 13:33 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: paul moore @ 2007-05-05 0:47 UTC (permalink / raw)
To: linux-audit
Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4
Occasiaonally I get a CWD audit message that has a hexified path in it.
Like this
$1 = "audit(1178324383.479:1566):
cwd=2F70726F632F35373336202864656C6574656429\000
This is "/proc/5736"
The message is coming from a shell process whose current dir is /proc/5736
and 5736 exited The cwd path contains junk after the "6" character - so
audit unstrusted string has hexified it I have not tried with real dirs
Bug?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: hexified path in cwd audit message if dir no longer exists
2007-05-05 0:47 ` hexified path in cwd audit message if dir no longer exists paul moore
@ 2007-05-05 13:33 ` Steve Grubb
[not found] ` <000001c790c7$82439fb0$656fa8c0@centrify.com>
[not found] ` <000101c790cf$200dbdf0$656fa8c0@centrify.com>
0 siblings, 2 replies; 5+ messages in thread
From: Steve Grubb @ 2007-05-05 13:33 UTC (permalink / raw)
To: linux-audit
On Friday 04 May 2007 20:47:19 paul moore wrote:
> Occasiaonally I get a CWD audit message that has a hexified path in it.
> Like this
>
> $1 = "audit(1178324383.479:1566):
> cwd=2F70726F632F35373336202864656C6574656429\000
> This is "/proc/5736"
Could you tell me what you get when you pull this event's record out with
ausearch -i ?
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: hexified path in cwd audit message if dir no longer exists
[not found] ` <000001c790c7$82439fb0$656fa8c0@centrify.com>
@ 2007-05-07 16:48 ` paul moore
0 siblings, 0 replies; 5+ messages in thread
From: paul moore @ 2007-05-07 16:48 UTC (permalink / raw)
To: 'Steve Grubb', linux-audit
No - since I was not running auditd it didn't get written in user space. But
the clip I show is directly from the audit buffer returned by
audit_get_reply (I poked the \0 onto the end of the buffer)
audit(1178324383.479:1566): cwd=2F70726F632F35373336202864656C6574656429\000
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Saturday, May 05, 2007 6:34 AM
To: linux-audit@redhat.com
Cc: paul moore
Subject: Re: hexified path in cwd audit message if dir no longer exists
On Friday 04 May 2007 20:47:19 paul moore wrote:
> Occasiaonally I get a CWD audit message that has a hexified path in it.
> Like this
>
> $1 = "audit(1178324383.479:1566):
> cwd=2F70726F632F35373336202864656C6574656429\000
> This is "/proc/5736"
Could you tell me what you get when you pull this event's record out with
ausearch -i ?
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: hexified path in cwd audit message if dir no longer exists
[not found] ` <000101c790cf$200dbdf0$656fa8c0@centrify.com>
@ 2007-05-07 17:42 ` paul moore
2007-05-07 17:49 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: paul moore @ 2007-05-07 17:42 UTC (permalink / raw)
To: 'Steve Grubb', linux-audit
Aha - it actually says "xxxx (deleted)".
Which is OK I guess. But I would have thought that the unstrusted string
routine would know that this is a string generated by the kernel audit
system and so not escape it
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Saturday, May 05, 2007 6:34 AM
To: linux-audit@redhat.com
Cc: paul moore
Subject: Re: hexified path in cwd audit message if dir no longer exists
On Friday 04 May 2007 20:47:19 paul moore wrote:
> Occasiaonally I get a CWD audit message that has a hexified path in it.
> Like this
>
> $1 = "audit(1178324383.479:1566):
> cwd=2F70726F632F35373336202864656C6574656429\000
> This is "/proc/5736"
Could you tell me what you get when you pull this event's record out with
ausearch -i ?
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: hexified path in cwd audit message if dir no longer exists
2007-05-07 17:42 ` paul moore
@ 2007-05-07 17:49 ` Steve Grubb
0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2007-05-07 17:49 UTC (permalink / raw)
To: paul moore; +Cc: linux-audit
On Monday 07 May 2007 13:42, paul moore wrote:
> Aha - it actually says "xxxx (deleted)".
That's what I thought it would say.
> Which is OK I guess. But I would have thought that the unstrusted string
> routine would know that this is a string generated by the kernel audit
> system and so not escape it
Any space in a field value will cause parsing problems. That is the main
reason its escaped.
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-05-07 17:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <000301c78eae$ef9128f0$656fa8c0@centrify.com>
2007-05-05 0:47 ` hexified path in cwd audit message if dir no longer exists paul moore
2007-05-05 13:33 ` Steve Grubb
[not found] ` <000001c790c7$82439fb0$656fa8c0@centrify.com>
2007-05-07 16:48 ` paul moore
[not found] ` <000101c790cf$200dbdf0$656fa8c0@centrify.com>
2007-05-07 17:42 ` paul moore
2007-05-07 17:49 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox