* hexified path in cwd audit message if dir no longer exists [not found] <000301c78eae$ef9128f0$656fa8c0@centrify.com> @ 2007-05-05 0:47 ` paul moore 2007-05-05 13:33 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: paul moore @ 2007-05-05 0:47 UTC (permalink / raw) To: linux-audit Redhat es4 x86 monoproc Kernel 2.6.9-34.EL Audit 1.0.12-1.EL4 Occasiaonally I get a CWD audit message that has a hexified path in it. Like this $1 = "audit(1178324383.479:1566): cwd=2F70726F632F35373336202864656C6574656429\000 This is "/proc/5736" The message is coming from a shell process whose current dir is /proc/5736 and 5736 exited The cwd path contains junk after the "6" character - so audit unstrusted string has hexified it I have not tried with real dirs Bug? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: hexified path in cwd audit message if dir no longer exists 2007-05-05 0:47 ` hexified path in cwd audit message if dir no longer exists paul moore @ 2007-05-05 13:33 ` Steve Grubb [not found] ` <000001c790c7$82439fb0$656fa8c0@centrify.com> [not found] ` <000101c790cf$200dbdf0$656fa8c0@centrify.com> 0 siblings, 2 replies; 5+ messages in thread From: Steve Grubb @ 2007-05-05 13:33 UTC (permalink / raw) To: linux-audit On Friday 04 May 2007 20:47:19 paul moore wrote: > Occasiaonally I get a CWD audit message that has a hexified path in it. > Like this > > $1 = "audit(1178324383.479:1566): > cwd=2F70726F632F35373336202864656C6574656429\000 > This is "/proc/5736" Could you tell me what you get when you pull this event's record out with ausearch -i ? -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <000001c790c7$82439fb0$656fa8c0@centrify.com>]
* RE: hexified path in cwd audit message if dir no longer exists [not found] ` <000001c790c7$82439fb0$656fa8c0@centrify.com> @ 2007-05-07 16:48 ` paul moore 0 siblings, 0 replies; 5+ messages in thread From: paul moore @ 2007-05-07 16:48 UTC (permalink / raw) To: 'Steve Grubb', linux-audit No - since I was not running auditd it didn't get written in user space. But the clip I show is directly from the audit buffer returned by audit_get_reply (I poked the \0 onto the end of the buffer) audit(1178324383.479:1566): cwd=2F70726F632F35373336202864656C6574656429\000 -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Saturday, May 05, 2007 6:34 AM To: linux-audit@redhat.com Cc: paul moore Subject: Re: hexified path in cwd audit message if dir no longer exists On Friday 04 May 2007 20:47:19 paul moore wrote: > Occasiaonally I get a CWD audit message that has a hexified path in it. > Like this > > $1 = "audit(1178324383.479:1566): > cwd=2F70726F632F35373336202864656C6574656429\000 > This is "/proc/5736" Could you tell me what you get when you pull this event's record out with ausearch -i ? -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <000101c790cf$200dbdf0$656fa8c0@centrify.com>]
* RE: hexified path in cwd audit message if dir no longer exists [not found] ` <000101c790cf$200dbdf0$656fa8c0@centrify.com> @ 2007-05-07 17:42 ` paul moore 2007-05-07 17:49 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: paul moore @ 2007-05-07 17:42 UTC (permalink / raw) To: 'Steve Grubb', linux-audit Aha - it actually says "xxxx (deleted)". Which is OK I guess. But I would have thought that the unstrusted string routine would know that this is a string generated by the kernel audit system and so not escape it -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Saturday, May 05, 2007 6:34 AM To: linux-audit@redhat.com Cc: paul moore Subject: Re: hexified path in cwd audit message if dir no longer exists On Friday 04 May 2007 20:47:19 paul moore wrote: > Occasiaonally I get a CWD audit message that has a hexified path in it. > Like this > > $1 = "audit(1178324383.479:1566): > cwd=2F70726F632F35373336202864656C6574656429\000 > This is "/proc/5736" Could you tell me what you get when you pull this event's record out with ausearch -i ? -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: hexified path in cwd audit message if dir no longer exists 2007-05-07 17:42 ` paul moore @ 2007-05-07 17:49 ` Steve Grubb 0 siblings, 0 replies; 5+ messages in thread From: Steve Grubb @ 2007-05-07 17:49 UTC (permalink / raw) To: paul moore; +Cc: linux-audit On Monday 07 May 2007 13:42, paul moore wrote: > Aha - it actually says "xxxx (deleted)". That's what I thought it would say. > Which is OK I guess. But I would have thought that the unstrusted string > routine would know that this is a string generated by the kernel audit > system and so not escape it Any space in a field value will cause parsing problems. That is the main reason its escaped. -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-05-07 17:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <000301c78eae$ef9128f0$656fa8c0@centrify.com>
2007-05-05 0:47 ` hexified path in cwd audit message if dir no longer exists paul moore
2007-05-05 13:33 ` Steve Grubb
[not found] ` <000001c790c7$82439fb0$656fa8c0@centrify.com>
2007-05-07 16:48 ` paul moore
[not found] ` <000101c790cf$200dbdf0$656fa8c0@centrify.com>
2007-05-07 17:42 ` paul moore
2007-05-07 17:49 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox