From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: USBguard bug
Date: Mon, 03 Feb 2020 11:35:58 -0500
Message-ID: <2617745.EWgzpobAnq@x2>
References: <60ca6b1cdb64b8c27f328f93ec01fa6596dfce46.camel@iinet.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <60ca6b1cdb64b8c27f328f93ec01fa6596dfce46.camel@iinet.net.au>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, burn@swtf.dyndns.org
List-Id: linux-audit@redhat.com

Hello,

On Friday, January 31, 2020 4:58:18 PM EST Burn Alting wrote:
> Currently when the USB management framework, usbguard (
> https://github.com/USBGuard/usbguard),  is building it's key-value pairs
> prior to calling audit_log_user_message() with a AUDIT_USER_DEVICE type,
> it looks at each value  and decides to hex encode the value if any
> character  in the value matches the expression (str[i] == '"' || str[i] <
> 0x21 || str[i] == 0x7F). 

It should be calling audit_value_needs_encoding().

> This can be found in
> https://github.com/USBGuard/usbguard/blob/master/src/Daemon/LinuxAuditBack
> end.cpp where it makes the call
> 
> 	audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, message.c_str(),
>       /*hostname=*/nullptr, /*addr=*/nullptr, /*tty=*/nullptr, result);
> 
> As a result, one sees audit events such as
 
<snip>


> I have a number of questions
> - What is the best recommendation I can make in a bug report I'd like to
> raise so that the auparse library can reliably interpret all their key's
> values?

If its a field that is knowingly going to be user controlled, then it has to 
follow the convention shown here:

https://github.com/linux-audit/audit-userspace/blob/master/lib/
audit_logging.c#L196

Notably, the "else" branch includes double quotes. 


> - Should I also request they actually provide hostname and addr
> values to audit_log_user_message()?

This should be covered by auditd.conf, name_format.


> - If one want them to identify the user who participates in the activity
> what is the best recommendation to make in terms of keys in the message?

There is no way to associate a user to a device being plugged in. What if no 
one is logged in? For example a "janitor" walks by a system at night and 
plugs in a usb cactus or evil crow. And then sometimes a system permanently 
has a usb device connected and the event is seen during boot before people 
log in.

-Steve