From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Cooked audit log format
Date: Thu, 15 May 2008 08:44:37 -0400
Message-ID: <200805150844.38007.sgrubb@redhat.com>
References: <482767E0.10506@redhat.com> <200805121119.46856.sgrubb@redhat.com>
	<20080515102815.GA8518@suse.de>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20080515102815.GA8518@suse.de>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Tony Jones <tonyj@suse.de>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 15 May 2008 06:28:15 Tony Jones wrote:
> On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
> > > Strings should be either always hex encoded, or always escaped
> > > (preferably the latter).
> >
> > The issue that always dominates any thinking about the audit system is
> > how to save diskspace. So, whenever a string has no naughty characters,
> > we let it go as is. If the string contains something that will confuse
> > the parser or do other bad things, we encode the string such that the
> > parser cannot be confused. But we only do that on demand because the
> > majority of strings are well-behaved.
>
> Are you talking here about the escaping that is performed inside of auditd?
> If so, IMO, this seriously needs to be reworked. The way it works (encoding
> the entire string rather than just escapinng the offending characters)
> doesn't make sense plus it's very inefficient in terms of implementation. I
> mentioned this to you in private mail at the time of the buffer overflow
> advisory. I'm happy to work on a patch but it's always possible I'm missing
> some design subtlety ;-)

Before sending a patch, it has to be backwards compatible. IOW, there is no 
guarantee that someone will update user space tools and run an old kernel or 
use a new kernel with old tools. There's no way to enforce this and people 
will expect their tools to work.

Also note that the hex string encoding is used to encode some data structures, 
so you would need to be judicious in which fields use whatever encoding.

About the scheduling of such a patch, I wouldn't want to merge the patch until 
the remote logging is complete.  (Its the last scheduled feature of the 
current development series.) After that point, I think we are at the 
branching point for big changes again.

-Steve