From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Mraz Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message()) Date: Tue, 04 Mar 2008 19:10:48 +0100 Message-ID: <1204654248.12783.32.camel@vespa.frost.loc> References: <47CCC6F0.1090005@redhat.com> <47CD65A3.8020204@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <47CD65A3.8020204@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: John Dennis , linux-audit@redhat.com Cc: Simo Sorce List-Id: linux-audit@redhat.com On Tue, 2008-03-04 at 10:07 -0500, John Dennis wrote: > Miloslav Trmac wrote: > > Hello, > > audit_log_acct_message() is currently quoting acct differently from all > > other users: it adds quotes to acct if it is represented in hexadecimal, > > not when it is represented as-is. > > This isn't the only audit hexadecimal parsing issue, there are many > more, see my previous posts. It is a sad fact audit output is impossible > to parse correctly given only the output. Correct parsing of audit data > demands private knowledge about the format of audit log messages on a > per kernel version basis, this is very broken IMHO. Following up on the discussion we had on IRC about making the audit messages easily parsable. This proposal is just for starting the discussion. 1. Messages contain = pairs separated by spaces. 2. All are just alphanumeric sequences. 3. Values can be either: a) byte sequences with the following special characters encoded as %XX where XX is hexadecimal value of the encoded byte. Special characters are: bytes with value <= 0x20 or >= 0x7F, '%', '(', ')', and '='. b) recursively embedded messages enclosed in '(' and ')' parentheses. type=USER_START msg=audit(1204632061.112:32361): user pid=10902 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' becomes: type=USER_START msg=(audit=1204632061.112:3236 src=user pid=10902 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=(op=PAM:session_open acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success)) type=AVC msg=audit(1204601533.621:32307): avc: denied { read write } for pid=9822 comm="tmpwatch" path="socket:[14038]" dev=sockfs ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket becomes: type=AVC msg=(audit=1204601533.621:32307 src=avc kind=denied acts=read:write pid=9822 comm=tmpwatch path=socket:[14038] dev=sockfs ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket) type=SYSCALL msg=audit(1204601533.621:32307): arch=c000003e syscall=59 success=yes exit=0 a0=2496490 a1=2493360 a2=24959a0 a3=8 items=0 ppid=9788 pid=9822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=48 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) becomes type=SYSCALL msg=(audit=1204601533.621:32307 arch=c000003e syscall=59 success=yes exit=0 a0=2496490 a1=2493360 a2=24959a0 a3=8 items=0 ppid=9788 pid=9822 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=%28none%29 ses=48 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=%28null%29) -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb