From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tony Jones Subject: Re: Cooked audit log format Date: Thu, 15 May 2008 03:28:15 -0700 Message-ID: <20080515102815.GA8518@suse.de> References: <482767E0.10506@redhat.com> <200805121043.17906.sgrubb@redhat.com> <48285C0C.5070809@redhat.com> <200805121119.46856.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <200805121119.46856.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote: > > Strings should be either always hex encoded, or always escaped > > (preferably the latter). > > The issue that always dominates any thinking about the audit system is how to > save diskspace. So, whenever a string has no naughty characters, we let it go > as is. If the string contains something that will confuse the parser or do > other bad things, we encode the string such that the parser cannot be > confused. But we only do that on demand because the majority of strings are > well-behaved. Are you talking here about the escaping that is performed inside of auditd? If so, IMO, this seriously needs to be reworked. The way it works (encoding the entire string rather than just escapinng the offending characters) doesn't make sense plus it's very inefficient in terms of implementation. I mentioned this to you in private mail at the time of the buffer overflow advisory. I'm happy to work on a patch but it's always possible I'm missing some design subtlety ;-) thanks! Tony