Re: [RFC] Comments on audit command line failure

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [RFC] Comments on audit command line failure
Date: Tue, 07 Jan 2014 11:34:23 -0500	[thread overview]
Message-ID: <1653590.FkWMjMVmQ0@localhost.localdomain> (raw)
In-Reply-To: <CAFftDdocnqsOj=uEiftUvUJpCBBupK3MR6p6iZWBbkDdpNi_mw@mail.gmail.com>

On Monday, January 06, 2014 07:38:02 PM William Roberts wrote:
> I've been doing some testing of the recent audit cmdline patches,
> notably as many as the error paths as I can.
> 
> On a failure, the field is populated with null, like when key is null.

But (null) for a key field is normal rather than a failure.

> However, it has quotes, should I drop the quotes...
> 
> Example:
> 
> Now:
> cmdline="(null)" key=(null)
> 
> Proposed:
> cmdline=(null) key=(null)

The audit event format cannot change. EVER! If it has been changed due some 
patches, it must be changed back as fast as possible. Tools parse the log files 
and any format change can cause something important to be missed. Even the 
order of fields is important because some tools skip around taking advantage of 
the order to speed searches.

So, the correct thing is to make sure events are the same before and after the 
patches.

> I noticed that tty if its null also does not have quotes.

Quotes are only used when user space has influenced the value. We can't allow a 
crafty user/admin to setup fields that will cause a parsing error that hides 
and event from tools.

-Steve

next prev parent reply	other threads:[~2014-01-07 16:34 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-07  3:38 [RFC] Comments on audit command line failure William Roberts
2014-01-07 15:54 ` William Roberts
2014-01-07 16:34 ` Steve Grubb [this message]
2014-01-07 19:36   ` William Roberts

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1653590.FkWMjMVmQ0@localhost.localdomain \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox