auparse question

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* auparse question
@ 2008-06-06 19:20 LC Bruzenak
  2008-06-06 19:36 ` Miloslav Trmač
  0 siblings, 1 reply; 5+ messages in thread
From: LC Bruzenak @ 2008-06-06 19:20 UTC (permalink / raw)
  To: Linux Audit

I have successfully sent in a AUDIT_TRUSTED_APP user audit event &
viewed that message picked off the stream by audisp.

I send in my own n=v pairs.
The auparse library code returns all the name elements but on a string
value with embedded spaces it stops at the first space.

On the sending side I have tried escaping double-quotes, single-quotes,
and escaped single-quotes.

I read through most of the list entries regarding this and also Steve's
auparse text page and I must be missing the answer; apology in advance
since after reading through most of the replies I realized it has been
discussed thoroughly, but I do not see the answer.

I also copied the example in the  auparse_feed manpage, compiled that
and tried to put some data into a file for an easy example. I cannot
seem to get the right format in my event data file however. If someone
has an example of that file data it would help, since I'd ideally like
to use this setup for quick testing.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: auparse question
  2008-06-06 19:20 auparse question LC Bruzenak
@ 2008-06-06 19:36 ` Miloslav Trmač
  2008-06-06 19:53   ` LC Bruzenak
  2008-06-06 20:07   ` audit string encoding is broken (Was: auparse question) John Dennis
  0 siblings, 2 replies; 5+ messages in thread
From: Miloslav Trmač @ 2008-06-06 19:36 UTC (permalink / raw)
  To: LC Bruzenak; +Cc: Linux Audit

LC Bruzenak píše v Pá 06. 06. 2008 v 14:20 -0500:
> I send in my own n=v pairs.
> The auparse library code returns all the name elements but on a string
> value with embedded spaces it stops at the first space.
<snip>
> I read through most of the list entries regarding this and also Steve's
> auparse text page and I must be missing the answer; apology in advance
> since after reading through most of the replies I realized it has been
> discussed thoroughly, but I do not see the answer.
There's no answer.  auparse (except for some special cases) splits
fields at spaces.

One usual way of handling spaces is to use the hex-encoded form for
field representation, and decode it either using
auparse_interpret_field() (which hard-codes the ways to decode specific
field types, and does nothing for unknown types), or in the application.
The other usual way of handling spaces is to just write them in the
record and let the applications deal with them however they want (you
can get the raw record text out of auparse, after all).

I plan to make auparse more useful in this regard, but the best I can
hope for is adding more special cases for specific field and record
types.  A long-term, future-proof solution must involve some changes to
the record format definition.
	Mirek

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: auparse question
  2008-06-06 19:36 ` Miloslav Trmač
@ 2008-06-06 19:53   ` LC Bruzenak
  2008-06-06 20:07   ` audit string encoding is broken (Was: auparse question) John Dennis
  1 sibling, 0 replies; 5+ messages in thread
From: LC Bruzenak @ 2008-06-06 19:53 UTC (permalink / raw)
  To: Miloslav Trmač; +Cc: Linux Audit

On Fri, 2008-06-06 at 19:36 +0000, Miloslav Trmač wrote:
...
> One usual way of handling spaces is to use the hex-encoded form for
> field representation, and decode it either using
> auparse_interpret_field() (which hard-codes the ways to decode specific
> field types, and does nothing for unknown types), or in the application.
> The other usual way of handling spaces is to just write them in the
> record and let the applications deal with them however they want (you
> can get the raw record text out of auparse, after all).

Fair enough; thanks for the response. 
Yes, I am able to get the raw string out and I can sub-parse it myself.
Up to this point the parser was doing all the work for me! :)

Thx!
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* audit string encoding is broken (Was: auparse question)
  2008-06-06 19:36 ` Miloslav Trmač
  2008-06-06 19:53   ` LC Bruzenak
@ 2008-06-06 20:07   ` John Dennis
  2008-06-06 20:45     ` LC Bruzenak
  1 sibling, 1 reply; 5+ messages in thread
From: John Dennis @ 2008-06-06 20:07 UTC (permalink / raw)
  To: Miloslav Trmač; +Cc: Linux Audit

Miloslav Trmač wrote:
> One usual way of handling spaces is to use the hex-encoded form for
> field representation, and decode it either using
> auparse_interpret_field() (which hard-codes the ways to decode specific
> field types, and does nothing for unknown types), or in the application.
> The other usual way of handling spaces is to just write them in the
> record and let the applications deal with them however they want (you
> can get the raw record text out of auparse, after all).
>
> I plan to make auparse more useful in this regard, but the best I can
> hope for is adding more special cases for specific field and record
> types.  A long-term, future-proof solution must involve some changes to
> the record format definition.
>   
I wonder how many times on this list someone has pointed out that the 
encoding
of string values in the audit subsystem is BROKEN?

How many times will people stumble on this before it gets fixed?

String encoding has to get fixed in the kernel first because that is 
where the string
values are generated.

There have been numerous emails on this list explaining the problem in 
detail
and numerous proposals for easy fixes.

-- 
John Dennis <jdennis@redhat.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: audit string encoding is broken (Was: auparse question)
  2008-06-06 20:07   ` audit string encoding is broken (Was: auparse question) John Dennis
@ 2008-06-06 20:45     ` LC Bruzenak
  0 siblings, 0 replies; 5+ messages in thread
From: LC Bruzenak @ 2008-06-06 20:45 UTC (permalink / raw)
  To: Linux Audit

On Fri, 2008-06-06 at 16:07 -0400, John Dennis wrote:
> 
> String encoding has to get fixed in the kernel first because that is 
> where the string values are generated.

Well, as in my case, there are those of us talented enough to stumble on
our own userspace-generated strings, submitted via
audit_log_user_message()...

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-06-06 20:46 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-06 19:20 auparse question LC Bruzenak
2008-06-06 19:36 ` Miloslav Trmač
2008-06-06 19:53   ` LC Bruzenak
2008-06-06 20:07   ` audit string encoding is broken (Was: auparse question) John Dennis
2008-06-06 20:45     ` LC Bruzenak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox