From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] TaskTracker : Simplified thread information tracker. Date: Sat, 27 Sep 2014 11:40:27 -0400 Message-ID: <20140927114028.5f233685@ivy-bridge> References: <201406232114.EJD56725.JFOOHQFMFOVSLt@I-love.SAKURA.ne.jp> <6185690.zhavPjVDeb@x2> <201406262040.BGC30243.FFMLHOVQOOFSJt@I-love.SAKURA.ne.jp> <201409271002.JAH52667.FtSOOHOQLFFMJV@I-love.SAKURA.ne.jp> <20140927091440.6fe54f43@ivy-bridge> <201409280012.FGE05239.VtFOSMOJFOFQLH@I-love.SAKURA.ne.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <201409280012.FGE05239.VtFOSMOJFOFQLH@I-love.SAKURA.ne.jp> Sender: linux-security-module-owner@vger.kernel.org To: Tetsuo Handa Cc: linux-audit@redhat.com, linux-security-module@vger.kernel.org List-Id: linux-audit@redhat.com Hello, On Sun, 28 Sep 2014 00:13:14 +0900 Tetsuo Handa wrote: > Steve Grubb wrote: > > On Sat, 27 Sep 2014 10:02:44 +0900 > > Tetsuo Handa wrote: > > > > > May I continue proposing this functionality? > > > > From the audit perspective, sure. I think we were expecting a > > revised patch after the comments. Other groups may have different > > thoughts, though. > > > > -Steve > > OK, thank you. Before posting a revised patch, can I hear answers > about specification questions listed below? Sure. > (Q1) Where can I find which bytes in $value need to be escaped when > emitting a record like name='$value' ? I have written a specification that describes how to write well formed audit events to help with questions like this. You can find it here: http://people.redhat.com/sgrubb/audit/audit-events.txt If you know that a field is under user control, it must be escaped so that they cannot try to trick the parser. > Is 0x20 in $value permitted? No. That is the separator between fields, so it cannot be allowed. What we suggest is to use a dash or hyphen between if you are logging a phrase that cannot be altered by the user. For example, you may have an op field saying it deleted a rule. You would do it as op=rule-deleted. However, we do not suggest that for user controlled fields. Just escape it by calling audit_log_untrustedstring() if in the kernel. There are examples in the page I mention above. > (Q2) Does auxiliary record work with only type=SYSCALL case? Auxiliary records compliment a syscall record by adding extra information. PATH, IPC, CWD, and EXECVE are some examples. They get emitted in audit_log_exit() if you wanted to look at them in more detail. HTH... -Steve