From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Weidner <klaus@atsec.com>
Subject: Re: [PATCH 2/2] Audit: remove the limit on execve arguments when
	audit is running
Date: Mon, 8 Oct 2007 14:45:57 -0500
Message-ID: <20071008194557.GA32746@w-m-p.com>
References: <1191360589.9506.34.camel@localhost.localdomain>
	<1191597087.3198.7.camel@dhcp231-215.rdu.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l98JkFL1032346
	for <linux-audit@redhat.com>; Mon, 8 Oct 2007 15:46:15 -0400
Received: from mail.atsec.com (mail.atsec.com [195.30.252.105])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id l98Jk4I6030272
	for <linux-audit@redhat.com>; Mon, 8 Oct 2007 15:46:04 -0400
Received: from mail.atsec.com (localhost [127.0.0.1])
	by mail.atsec.com (Postfix) with ESMTP id 9D0DA720938
	for <linux-audit@redhat.com>; Mon,  8 Oct 2007 21:46:03 +0200 (CEST)
Content-Disposition: inline
In-Reply-To: <1191597087.3198.7.camel@dhcp231-215.rdu.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com, a.p.zijlstra@chello.nl
List-Id: linux-audit@redhat.com

On Fri, Oct 05, 2007 at 11:11:27AM -0400, Eric Paris wrote:
> My belief is that the solution to this problem is to allow audit to
> break individual arguments down to a size <8k.  I guess my syntax would
> be something like
> 
> a0[0]=(first 8k of a single huge argument)
> a0[1]=(second 8k of a single huge argument)
[...]
> who has a problem with that syntax?  will userspace puke?

I'm a bit worried about special audit record formats that aren't
generally seen in normal operation, since that's an obstacle to
testability. The ASCII audit format encourages an ad-hoc parsing
approach, and it's likely that tools other than the shipped ones won't be
able to handle this and will break unexpectedly, possibly offering
avenues to hide events with unusual records. (I know that people are
supposed to use the parsing library, but they aren't being forced to.)

Would there be a clean way to handle this kind of reassembly in auditd to
ensure that the on-disk record will continue to be in the currently
documented format? Or is there a way to strongly encourage people to keep
their hands off the raw audit logs and use documented interfaces that
take care of the conversions?

-Klaus