From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [RFC] Comments on audit command line failure Date: Tue, 07 Jan 2014 11:34:23 -0500 Message-ID: <1653590.FkWMjMVmQ0@localhost.localdomain> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from localhost.localdomain (vpn-56-178.rdu2.redhat.com [10.10.56.178]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s07GYN3C025759 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 7 Jan 2014 11:34:24 -0500 In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, January 06, 2014 07:38:02 PM William Roberts wrote: > I've been doing some testing of the recent audit cmdline patches, > notably as many as the error paths as I can. > > On a failure, the field is populated with null, like when key is null. But (null) for a key field is normal rather than a failure. > However, it has quotes, should I drop the quotes... > > Example: > > Now: > cmdline="(null)" key=(null) > > Proposed: > cmdline=(null) key=(null) The audit event format cannot change. EVER! If it has been changed due some patches, it must be changed back as fast as possible. Tools parse the log files and any format change can cause something important to be missed. Even the order of fields is important because some tools skip around taking advantage of the order to speed searches. So, the correct thing is to make sure events are the same before and after the patches. > I noticed that tty if its null also does not have quotes. Quotes are only used when user space has influenced the value. We can't allow a crafty user/admin to setup fields that will cause a parsing error that hides and event from tools. -Steve