From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Date: Tue, 04 Mar 2008 16:55:20 -0500
Message-ID: <1204667720.3216.161.camel@localhost.localdomain>
References: <47CCC6F0.1090005@redhat.com>
	<1204663403.3216.126.camel@localhost.localdomain>
	<47CDBD3D.7030101@redhat.com>  <200803041638.03430.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200803041638.03430.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Tue, 2008-03-04 at 16:38 -0500, Steve Grubb wrote:
> On Tuesday 04 March 2008 16:21:01 John Dennis wrote:
> > These are the encoded audit strings in kernel 2.6.24 (Fedora):
> 
> Reorganized:
> 
> 
> Field		24		18		auparse
> a[0-9]+	X
> acct						X
> cmd						X
> comm	X		X		X
> cwd		X		X		X
> data		X
> dir		X				X
> exe		X		X		X
> file						X
> key		X		X		X
> msg		X
> name	X		X		X
> new		X		X
> old		X		X
> path		X		X		X
> watch					X

you formatting didn't come through, but we both agree auparse doesn't
get them all (for better or worse) and 2.6.24 only adds new stuff, it
doesn't remove?

> Of these, A0-4 is probably from the execve patch. I have no idea what the 
> status of this patch is and if its upstream. I've not seen the records so 
> this would be something very new.

execve could always turn A0-infinity into hex.  And currently upstream
and RHEL5.2 kernels both can do so....

> acct & cmd is a userspace thing
> 
> data, I need to go hunt this down. I don't like the name so it will probably 
> need to change in the kernel

maybe audit tty stuff?  I don't see it in auditsc.c or audit.c (just a
guess)
> 
> msg, name collision it has to change wherever it is in the kernel

not sure what this means...  I only see msg used in one place, but it is
a great example of non-standardization which should be cleaned up....

                        if (msg_type != AUDIT_USER_TTY)
                                audit_log_format(ab, " msg='%.1024s'",
                                                 (char *)data);
                        else {  
                                int size;

                                audit_log_format(ab, " msg=");
                                size = nlmsg_len(nlh);
                                audit_log_n_untrustedstring(ab, size,
                                                            data);
                        }

The top case will surround these with '' which the bottom will surround
with ""

> new, old, these sound like bugs. They need to get fixed in the kernel

new and old are from audit config changes.  Am i really expected to
trust what came down the netlink socket from userspace was sane?  nope
nope nope.  I don't trust userspace.  Even though 10 times out of 10
these are going to be normal strings they need to remain calls to
untrusted string just in case.

> 
> file & watch are probably legacy from RHEL4 I think. It can probably be 
> deleted.

dont see them in my kernels
> 
> -Steve