Re: ausearch results differ with "-i" flag

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: ausearch results differ with "-i" flag
Date: Wed, 17 Mar 2010 14:57:08 -0400	[thread overview]
Message-ID: <201003171457.08511.sgrubb@redhat.com> (raw)
In-Reply-To: <4BA12442.6030206@redhat.com>

On Wednesday 17 March 2010 02:49:38 pm John Dennis wrote:
> > comm's value should be in double-quotes unless it has special characters
> > and then it should be hex encoded. The reason being is comm could have a
> > white space in its name .
> 
> Why would white space inside a quoted string cause it to be hex encoded?

Because someone could start a log injection attack. Comm is controlled by the 
user which is untrusted. Although they are limited to 15 characters, it might 
be enough to throw parsing off.

> Maybe my memory is fuzzy and I haven't been carefully tracking the audit 
> changes lately. String values never used to be quoted, right?

When they are controlled by users, yes.

> When did quotes get added?

Back around 2005.

> Did we add quotes around strings but preserve the hex encoding for strings?

If the string starts with ", then its safe to parse as is. If not, it is 
assumed to be hex-encoded.

> What happened to the position that changing audit output from the kernel was
> verboten?

This particular avc originates from user space. The application needs to 
follow the rules correctly so it doesn't mess up the logs.

-Steve

next prev parent reply	other threads:[~2010-03-17 18:57 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-16 22:18 ausearch results differ with "-i" flag LC Bruzenak
2010-03-17 17:03 ` Steve Grubb
2010-03-17 18:49   ` John Dennis
2010-03-17 18:57     ` Steve Grubb [this message]
2010-03-17 19:15       ` LC Bruzenak
2010-03-17 20:15         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201003171457.08511.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox