Re: [PATCH] Fix acct quoting in audit_log_acct_message())

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Miloslav Trmac <mitr@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Date: Wed, 05 Mar 2008 14:55:12 +0100	[thread overview]
Message-ID: <47CEA640.7090903@redhat.com> (raw)

Tomas Mraz napsal(a):
> This proposal is just for starting the discussion.
> 
> 1. Messages contain <name>=<value> pairs separated by spaces.
> 2. All <names> are just alphanumeric sequences.
> 3. Values can be either:
>  a) byte sequences with the following special characters encoded as %XX
> where XX is hexadecimal value of the encoded byte. Special characters
> are: bytes with value <= 0x20 or >= 0x7F, '%', '(', ')', and '='.
Perhaps we should reserve more characters for future features - at least
'"', '\'' and '\\', maybe everything but [a-zA-Z0-9_-].

 From the previous thread - the currently used hexadecimal format is
good for non-ASCII data (2 characters per byte instead of 3 bytes);  It
probably won't be better for most messages - perhaps it should be left
as a third alternative, e.g. \xaa55abcdef.

One more proposal:
4. If a value is undefined, the name=value pair is not present.  Special
    values ("?", "(null)", "") are never used to represent unknown
    field values.

>  b) recursively embedded messages enclosed in '(' and ')' parentheses.

> type=USER_START msg=audit(1204632061.112:32361): user pid=10902 uid=0
> auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct=root exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
> 
> becomes:
> 
> type=USER_START msg=(audit=1204632061.112:3236 src=user pid=10902 uid=0
> auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg=(op=PAM:session_open acct=root exe=/usr/sbin/crond hostname=? addr=?
> terminal=cron res=success))
[Should there be only one trailing )? ]  Using "msg" for both the kernel
and user-space part is ambiguous - perhaps "kmsg"/"umsg" or just
"k"/"u"?  Or, preferably, don't nest the kernel fields at all - the
nesting carries no information.

> type=AVC msg=audit(1204601533.621:32307): avc:  denied  { read write }
> for  pid=9822 comm="tmpwatch" path="socket:[14038]" dev=sockfs ino=14038
> scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
> 
> becomes:
> 
> type=AVC msg=(audit=1204601533.621:32307 src=avc kind=denied
> acts=read:write pid=9822 comm=tmpwatch path=socket:[14038] dev=sockfs
> ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket)
(auparse already defines names for some of the fields, the names should
be reused.)
	Mirek

next             reply	other threads:[~2008-03-05 13:55 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-05 13:55 Miloslav Trmac [this message]
2008-03-05 14:11 ` [PATCH] Fix acct quoting in audit_log_acct_message()) Tomas Mraz
2008-03-05 15:04   ` John Dennis
2008-03-05 15:21     ` Tomas Mraz
2008-03-05 15:29       ` Steve Grubb
  -- strict thread matches above, loose matches on Subject: below --
2008-03-04  3:50 Miloslav Trmac
2008-03-04 15:07 ` John Dennis
2008-03-04 18:10   ` Tomas Mraz
2008-03-04 18:29     ` John Dennis
2008-03-04 19:05       ` Eric Paris
2008-03-05  4:02         ` Valdis.Kletnieks
2008-03-05 13:15           ` Eric Paris
2008-03-04 18:56     ` Steve Grubb
2008-03-04 19:08       ` Miloslav Trmac
2008-03-04 19:28         ` Steve Grubb
2008-03-04 19:15       ` Eric Paris
2008-03-04 20:41         ` John Dennis
2008-03-04 20:29       ` John Dennis
2008-03-04 20:36         ` Tomas Mraz
2008-03-04 20:57           ` John Dennis
2008-03-04 20:43         ` Eric Paris
2008-03-04 20:52           ` Steve Grubb
2008-03-04 21:21           ` John Dennis
2008-03-04 21:38             ` Steve Grubb
2008-03-04 21:55               ` Eric Paris
2008-03-04 22:03                 ` Eric Paris
2008-03-04 22:18                   ` Steve Grubb
2008-03-04 22:32                   ` John Dennis
2008-03-05 14:11                     ` John Dennis
2008-03-04 22:14                 ` Steve Grubb
2008-03-04 22:21                   ` Eric Paris
2008-03-04 23:00                     ` Steve Grubb
2008-03-09 18:36 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47CEA640.7090903@redhat.com \
    --to=mitr@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox