From: Tomas Mraz <tmraz@redhat.com>
To: John Dennis <jdennis@redhat.com>, linux-audit@redhat.com
Cc: Simo Sorce <ssorce@redhat.com>
Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Date: Tue, 04 Mar 2008 19:10:48 +0100 [thread overview]
Message-ID: <1204654248.12783.32.camel@vespa.frost.loc> (raw)
In-Reply-To: <47CD65A3.8020204@redhat.com>
On Tue, 2008-03-04 at 10:07 -0500, John Dennis wrote:
> Miloslav Trmac wrote:
> > Hello,
> > audit_log_acct_message() is currently quoting acct differently from all
> > other users: it adds quotes to acct if it is represented in hexadecimal,
> > not when it is represented as-is.
>
> This isn't the only audit hexadecimal parsing issue, there are many
> more, see my previous posts. It is a sad fact audit output is impossible
> to parse correctly given only the output. Correct parsing of audit data
> demands private knowledge about the format of audit log messages on a
> per kernel version basis, this is very broken IMHO.
Following up on the discussion we had on IRC about making the audit
messages easily parsable.
This proposal is just for starting the discussion.
1. Messages contain <name>=<value> pairs separated by spaces.
2. All <names> are just alphanumeric sequences.
3. Values can be either:
a) byte sequences with the following special characters encoded as %XX
where XX is hexadecimal value of the encoded byte. Special characters
are: bytes with value <= 0x20 or >= 0x7F, '%', '(', ')', and '='.
b) recursively embedded messages enclosed in '(' and ')' parentheses.
type=USER_START msg=audit(1204632061.112:32361): user pid=10902 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
becomes:
type=USER_START msg=(audit=1204632061.112:3236 src=user pid=10902 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg=(op=PAM:session_open acct=root exe=/usr/sbin/crond hostname=? addr=?
terminal=cron res=success))
type=AVC msg=audit(1204601533.621:32307): avc: denied { read write }
for pid=9822 comm="tmpwatch" path="socket:[14038]" dev=sockfs ino=14038
scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
becomes:
type=AVC msg=(audit=1204601533.621:32307 src=avc kind=denied
acts=read:write pid=9822 comm=tmpwatch path=socket:[14038] dev=sockfs
ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket)
type=SYSCALL msg=audit(1204601533.621:32307): arch=c000003e syscall=59
success=yes exit=0 a0=2496490 a1=2493360 a2=24959a0 a3=8 items=0
ppid=9788 pid=9822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=48 comm="tmpwatch"
exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
becomes
type=SYSCALL msg=(audit=1204601533.621:32307 arch=c000003e syscall=59
success=yes exit=0 a0=2496490 a1=2493360 a2=24959a0 a3=8 items=0
ppid=9788 pid=9822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=%28none%29 ses=48 comm=tmpwatch
exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
key=%28null%29)
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
next prev parent reply other threads:[~2008-03-04 18:10 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-04 3:50 [PATCH] Fix acct quoting in audit_log_acct_message()) Miloslav Trmac
2008-03-04 15:07 ` John Dennis
2008-03-04 18:10 ` Tomas Mraz [this message]
2008-03-04 18:29 ` John Dennis
2008-03-04 19:05 ` Eric Paris
2008-03-05 4:02 ` Valdis.Kletnieks
2008-03-05 13:15 ` Eric Paris
2008-03-04 18:56 ` Steve Grubb
2008-03-04 19:08 ` Miloslav Trmac
2008-03-04 19:28 ` Steve Grubb
2008-03-04 19:15 ` Eric Paris
2008-03-04 20:41 ` John Dennis
2008-03-04 20:29 ` John Dennis
2008-03-04 20:36 ` Tomas Mraz
2008-03-04 20:57 ` John Dennis
2008-03-04 20:43 ` Eric Paris
2008-03-04 20:52 ` Steve Grubb
2008-03-04 21:21 ` John Dennis
2008-03-04 21:38 ` Steve Grubb
2008-03-04 21:55 ` Eric Paris
2008-03-04 22:03 ` Eric Paris
2008-03-04 22:18 ` Steve Grubb
2008-03-04 22:32 ` John Dennis
2008-03-05 14:11 ` John Dennis
2008-03-04 22:14 ` Steve Grubb
2008-03-04 22:21 ` Eric Paris
2008-03-04 23:00 ` Steve Grubb
2008-03-09 18:36 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2008-03-05 13:55 Miloslav Trmac
2008-03-05 14:11 ` Tomas Mraz
2008-03-05 15:04 ` John Dennis
2008-03-05 15:21 ` Tomas Mraz
2008-03-05 15:29 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1204654248.12783.32.camel@vespa.frost.loc \
--to=tmraz@redhat.com \
--cc=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=ssorce@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox