Re: [PATCH] TaskTracker : Simplified thread information tracker.

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Sun, 28 Sep 2014 00:13:14 +0900
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> Steve Grubb wrote:
> > On Sat, 27 Sep 2014 10:02:44 +0900
> > Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> > 
> > > May I continue proposing this functionality?
> > 
> > From the audit perspective, sure. I think we were expecting a
> > revised patch after the comments. Other groups may have different
> > thoughts, though.
> > 
> > -Steve
> 
> OK, thank you. Before posting a revised patch, can I hear answers
> about specification questions listed below?

Sure.

> (Q1) Where can I find which bytes in $value need to be escaped when
>      emitting a record like name='$value' ?

I have written a specification that describes how to write well formed
audit events to help with questions like this. You can find it here:

http://people.redhat.com/sgrubb/audit/audit-events.txt

If you know that a field is under user control, it must be escaped so
that they cannot try to trick the parser.

> Is 0x20 in $value permitted?

No. That is the separator between fields, so it cannot be allowed. What
we suggest is to use a dash or hyphen between if you are logging a
phrase that cannot be altered by the user. For example, you may have an
op field saying it deleted a rule. You would do it as op=rule-deleted.
However, we do not suggest that for user controlled fields. Just escape
it by calling audit_log_untrustedstring() if in the kernel. There are
examples in the page I mention above.

> (Q2) Does auxiliary record work with only type=SYSCALL case?

Auxiliary records compliment a syscall record by adding extra
information. PATH, IPC, CWD, and EXECVE are some examples. They get
emitted in audit_log_exit() if you wanted to look at them in more
detail.

HTH...

-Steve