From: Steve Grubb <sgrubb@redhat.com>
To: Tony Jones <tonyj@suse.de>
Cc: linux-audit@redhat.com
Subject: Re: Cooked audit log format
Date: Thu, 15 May 2008 08:44:37 -0400 [thread overview]
Message-ID: <200805150844.38007.sgrubb@redhat.com> (raw)
In-Reply-To: <20080515102815.GA8518@suse.de>
On Thursday 15 May 2008 06:28:15 Tony Jones wrote:
> On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
> > > Strings should be either always hex encoded, or always escaped
> > > (preferably the latter).
> >
> > The issue that always dominates any thinking about the audit system is
> > how to save diskspace. So, whenever a string has no naughty characters,
> > we let it go as is. If the string contains something that will confuse
> > the parser or do other bad things, we encode the string such that the
> > parser cannot be confused. But we only do that on demand because the
> > majority of strings are well-behaved.
>
> Are you talking here about the escaping that is performed inside of auditd?
> If so, IMO, this seriously needs to be reworked. The way it works (encoding
> the entire string rather than just escapinng the offending characters)
> doesn't make sense plus it's very inefficient in terms of implementation. I
> mentioned this to you in private mail at the time of the buffer overflow
> advisory. I'm happy to work on a patch but it's always possible I'm missing
> some design subtlety ;-)
Before sending a patch, it has to be backwards compatible. IOW, there is no
guarantee that someone will update user space tools and run an old kernel or
use a new kernel with old tools. There's no way to enforce this and people
will expect their tools to work.
Also note that the hex string encoding is used to encode some data structures,
so you would need to be judicious in which fields use whatever encoding.
About the scheduling of such a patch, I wouldn't want to merge the patch until
the remote logging is complete. (Its the last scheduled feature of the
current development series.) After that point, I think we are at the
branching point for big changes again.
-Steve
next prev parent reply other threads:[~2008-05-15 12:44 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-11 21:40 Cooked audit log format Matthew Booth
2008-05-12 14:43 ` Steve Grubb
2008-05-12 15:02 ` Matthew Booth
2008-05-12 15:19 ` Steve Grubb
2008-05-12 15:50 ` LC Bruzenak
2008-05-12 16:09 ` Miloslav Trmač
2008-05-12 16:34 ` Steve Grubb
2008-05-12 16:44 ` LC Bruzenak
2008-05-12 16:53 ` Matthew Booth
2008-05-12 16:12 ` John Dennis
2008-05-12 20:56 ` Eric Paris
2008-05-13 12:30 ` John Dennis
2008-05-15 10:28 ` Tony Jones
2008-05-15 12:44 ` Steve Grubb [this message]
2008-05-15 15:59 ` John Dennis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200805150844.38007.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=tonyj@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox