From: John Dennis <jdennis@redhat.com>
To: linux-audit@redhat.com
Subject: Re: ausearch results differ with "-i" flag
Date: Wed, 17 Mar 2010 14:49:38 -0400 [thread overview]
Message-ID: <4BA12442.6030206@redhat.com> (raw)
In-Reply-To: <201003171303.16873.sgrubb@redhat.com>
On 03/17/2010 01:03 PM, Steve Grubb wrote:
> On Tuesday 16 March 2010 06:18:26 pm LC Bruzenak wrote:
>> I am doing an ausearch and noticed that with the "-i" flag the "comm="
>> field appears to lose the data.
>> The bad thing is that this appears inside the "msg=" string, and I feel
>> that it shouldn't be interpreting those values anyway.
>>
>> I saw that the audit-viewer does parse out the "comm=" field correctly
>> when I look at the same event.
>>
>> First the event without the "-i" flag:
>> ----
>> time->Tue Mar 16 21:53:50 2010
>> node=jcdx type=USER_AVC msg=audit(1268776430.236:6808): user pid=2835
>> uid=0 auid=4294967295 ses=4294967295
>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>> { write } for request=X11:PolyRectangle comm=MLTracks resid=5d
>> restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511
>> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
>> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>> terminal=?)'
>> ----
>
> comm's value should be in double-quotes unless it has special characters and
> then it should be hex encoded. The reason being is comm could have a white
> space in its name .
Why would white space inside a quoted string cause it to be hex encoded?
Maybe my memory is fuzzy and I haven't been carefully tracking the audit
changes lately. String values never used to be quoted, right? When did
quotes get added? Did we add quotes around strings but preserve the hex
encoding for strings? That would mean even though strings are marked as
strings by virtue of being quoted you still need a hard coded list of
what fields are strings so you can test for unadorned hex encoding if
the quote is absent. If quotes were added then the unadorned hex
encoding format could have dropped because standard string escapes could
have been used inside a quoted string. What happened to the position
that changing audit output from the kernel was verboten?
--
John Dennis <jdennis@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
next prev parent reply other threads:[~2010-03-17 18:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-16 22:18 ausearch results differ with "-i" flag LC Bruzenak
2010-03-17 17:03 ` Steve Grubb
2010-03-17 18:49 ` John Dennis [this message]
2010-03-17 18:57 ` Steve Grubb
2010-03-17 19:15 ` LC Bruzenak
2010-03-17 20:15 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA12442.6030206@redhat.com \
--to=jdennis@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox