From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linda Knippers Subject: Re: [PATCH] IPC_SET_PERM cleanup Date: Tue, 09 May 2006 16:46:30 -0400 Message-ID: <4460FFA6.4070506@hp.com> References: <445BB351.2040303@hp.com> <20060509181523.GD31457@w-m-p.com> <4460DF17.8010304@hp.com> <200605091511.25780.sgrubb@redhat.com> <20060509201014.GA31028@w-m-p.com> <20060509203608.GF31457@w-m-p.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20060509203608.GF31457@w-m-p.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Klaus Weidner Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Klaus Weidner wrote: > On Tue, May 09, 2006 at 03:10:14PM -0500, Klaus Weidner wrote: > >>On Tue, May 09, 2006 at 03:11:25PM -0400, Steve Grubb wrote: >> >>>Bottom line, for the search API, I want all similar types to have a common >>>field name. They can have a modifier adjacent to them. >> >>If that's the way you want to do it, there needs to be a way to get the >>modifier to disambiguate them. >> >>Is adding "new " modifiers the best way to do that? You could also >>keep the field names the same and look at the syscall record type to find >>out which context they get used in. > > > A bit more detail... > > Here are the current audit records: > > type=SYSCALL msg=audit(1146691872.791:94): arch=c000003e syscall=66 success=yes exit=0 a0=10000 a1=1 a2=1 a3=7fff328a7e70 items=0 pid=4327 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="syscalls" exe="/usr/local/eal3_testing/audit-test/syscalls/syscalls" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 > > type=IPC_SET_PERM msg=audit(1146691872.791:94): new qbytes=0 new iuid=501 new igid=0 new mode=0 obj=user_u:system_r:unconfined_t:s0-s0:c0.c255 > > type=IPC msg=audit(1146691872.791:94): qbytes=5a5a5a5a5a5a5a5a iuid=0 igid=0 mode=1c0 obj=user_u:system_r:unconfined_t:s0-s0:c0.c255 > > > The original patches by Dustin and Linda had used "new_iuid=501" to > differentiate the values, which I personally think was fine since it's > unlikely that people want to be searching for those. And if they do, they're easy to find with an ausearch | grep. I think Dustin and I were both trying to be consistent with the 99% of the audit records emitted by the kernel that use single word keywords. I also think Loulwa had a good suggestion when we suggested modifying some of the user space audit records to also use single word keywords. I can understand not wanting to create a bunch of new, random keywords and I think for the kernel, we do that be reviewing new audit records to make sure that they only contain the necessary information and re-use existing keywords where it makes sense. That's why I removed obj from the IPC_SET_PERMS record and qbytes from the IPC record. I guess for qbytes that means that I can use qbytes instead of new_qbytes since the IPC_SET_PERMS record is the only place where it shows up. That's a change I'm happy to make. :-) > If you absolutely want to avoid adding new tag names, an alternative > would be to get rid of the "new " modifiers, and use the "type=" name to > differentiate them. The audit parsing library could then provide an > auparse_get_field_type() function so that the clients that care can treat > "IPC_SET_PERM" differently from type "IPC". > > Something like: > > while (ausearch_next_event(au)) { > if (auparse_find_field(au, "ouid") > && !strcmp(auparse_get_field_type(au), "IPC")) > { > printf("ouid=%s\n", auparse_interpret_field(au)); > } > } > > I still think that the new_* field names are fine and don't need fixing, > but the "new" modifiers just look wrong. I agree. I would also like something that's easy to parse for people not using the search API. Our test suite doesn't use the search API and probably never will until there's a binary record format. -- ljk > > -Klaus > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit