From mboxrd@z Thu Jan 1 00:00:00 1970 From: Burn Alting Subject: USBguard bug Date: Sat, 01 Feb 2020 08:58:18 +1100 Message-ID: <60ca6b1cdb64b8c27f328f93ec01fa6596dfce46.camel@iinet.net.au> Reply-To: burn@swtf.dyndns.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7102869487060044956==" Return-path: Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 67A312166B28 for ; Fri, 31 Jan 2020 22:01:40 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BBFAB900820 for ; Fri, 31 Jan 2020 22:01:40 +0000 (UTC) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com --===============7102869487060044956== Content-Type: multipart/alternative; boundary="=-6P945k8CNSKmQjWcnQj7" --=-6P945k8CNSKmQjWcnQj7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable All, I need some advice. Currently when the USB management framework, usbguard ( https://github.com/USBGuard/usbguard), is building it's key-value pairs pr= ior to calling audit_log_user_message() with a AUDIT_USER_DEVICE type, it looks at= each value and decides to hex encode the value if any character in the value m= atches the expression (str[i] =3D=3D '"' || str[i] < 0x21 || str[i] =3D=3D 0x7F). = This can be found in https://github.com/USBGuard/usbguard/blob/master/src/Daemon/LinuxAuditBa= ckend.cpp where it makes the call =09audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, message.c_str(), /*hostname=3D*/nullptr, /*addr=3D*/nullptr, /*tty=3D*/nullptr, result= ); As a result, one sees audit events such as type=3DUSER_DEVICE msg=3Daudit(1580255002.606:352190): pid=3D3115 uid=3D0 a= uid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:unconfined_service_t:s0 msg=3D'op= =3D"changed- authorization-state-for" device=3D"/devices/pci0000:00/0000:00:1a.0/usb1/1-= 1/1-1.3" target=3D"allow" device_rule=3D626C6F636B20696420303738313A353539312073657269616C20223443353= 33030303132 323034313231303533313322206E616D652022556C7472612055534220332E3022206861736= 820227953 6D433045594970734A575666474436414854774577712F624974344631466A78785856306C3= 552356B3D 2220706172656E742D6861736820226B763376322B726E713951765949332F48624A3145563= 97664756A 5A30615643512F43474259496B4542303D22207669612D706F72742022312D312E332220776= 974682D69 6E746572666163652030383A30363A3530 exe=3D"/usr/sbin/usbguard-daemon" hostna= me=3D? addr=3D? terminal=3D? res=3Dsuccess'=1DUID=3D"root" AUID=3D"unset" where device_rule started as =09block id 0781:5591 serial "4C530001220412105313" name "Ultra USB 3.0" ha= sh "ySmC0EYIpsJWVfGD6AHTwEwq/bIt4F1FjxxXV0l5R5k=3D" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=3D" via-port "1-1.3" with-inte= rface 08:06:50 or type=3DUSER_DEVICE msg=3Daudit(1580255002.605:352187): pid=3D3115 uid=3D0 a= uid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:unconfined_service_t:s0 msg=3D'op= =3D"discovered- device" device=3D"/devices/pci0000:00/0000:00:1d.0/usb2/2-1" device_rule=3D616C6C6F7720696420383038373A303032342073657269616C202222206E6= 16D65202222 206861736820225A78377630464D51456A53634B534146454E41696F624573314F475050423= 05957522B 79584443564530343D2220706172656E742D68617368202257484254784E61456F4D474E534= E6333314B 70464E53416546463448624C4D51675342714F526C433653383D22207669612D706F7274202= 2322D3122 20776974682D696E746572666163652030393A30303A3030 exe=3D"/usr/sbin/usbguard-= daemon" hostname=3D? addr=3D? terminal=3D? res=3Dsuccess'=1DUID=3D"root" AUID=3D"un= set" where device_rule started as =09allow id 8087:0024 serial "" name "" hash "Zx7v0FMQEjScKSAFENAiobEs1OGPPB0YWR+yXDCVE04=3D" parent-hash "WHBTxNaEoMGNSNc31KpFNSAeFF4HbLMQgSBqORlC6S8=3D" via-port "2-1" with-interf= ace 09:00:00 I have a number of questions - What is the best recommendation I can make in a bug report I'd like to ra= ise so that the auparse library can reliably interpret all their key's values? - Should I also request they actually provide hostname and addr values to audit_log_user_message()? - If one want them to identify the user who participates in the activity wh= at is the best recommendation to make in terms of keys in the message? Thanks in advance --=-6P945k8CNSKmQjWcnQj7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
All,

I need some advice.

=
=09audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, mess= age.c_str(),
      /*hostname=3D*/n= ullptr, /*addr=3D*/nullptr, /*tty=3D*/nullptr, result);

As a result, one sees audit events such as

type=3DUSER_DEVICE msg=3Daudit(1580255002.6= 06:352190): pid=3D3115 uid=3D0 auid=3D4294967295 ses=3D4294967295 subj=3Dsy= stem_u:system_r:unconfined_service_t:s0 msg=3D'op=3D"changed-authorization-= state-for" device=3D"/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.3" targe= t=3D"allow" device_rule=3D626C6F636B20696420303738313A353539312073657269616= C2022344335333030303132323034313231303533313322206E616D652022556C7472612055= 534220332E30222068617368202279536D433045594970734A5756664744364148547745777= 12F624974344631466A78785856306C3552356B3D2220706172656E742D6861736820226B76= 3376322B726E713951765949332F48624A314556397664756A5A30615643512F43474259496= B4542303D22207669612D706F72742022312D312E332220776974682D696E74657266616365= 2030383A30363A3530 exe=3D"/usr/sbin/usbguard-daemon" hostname=3D? addr=3D? = terminal=3D? res=3Dsuccess'=1DUID=3D"root" AUID=3D"unset"
w= here device_rule started as
=09block id 0781:5591 serial "4C53000= 1220412105313" name "Ultra USB 3.0" hash "ySmC0EYIpsJWVfGD6AHTwEwq/bIt4F1Fj= xxXV0l5R5k=3D" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=3D"= via-port "1-1.3" with-interface 08:06:50
or

=
type=3DUSER_DEVICE msg=3Daudit(158025= 5002.605:352187): pid=3D3115 uid=3D0 auid=3D4294967295 ses=3D4294967295 sub= j=3Dsystem_u:system_r:unconfined_service_t:s0 msg=3D'op=3D"discovered-devic= e" device=3D"/devices/pci0000:00/0000:00:1d.0/usb2/2-1" device_rule=3D616C6= C6F7720696420383038373A303032342073657269616C202222206E616D6520222220686173= 6820225A78377630464D51456A53634B534146454E41696F624573314F47505042305957522= B79584443564530343D2220706172656E742D68617368202257484254784E61456F4D474E53= 4E6333314B70464E53416546463448624C4D51675342714F526C433653383D22207669612D7= 06F72742022322D312220776974682D696E746572666163652030393A30303A3030 exe=3D"= /usr/sbin/usbguard-daemon" hostname=3D? addr=3D? terminal=3D? res=3Dsuccess= '=1DUID=3D"root" AUID=3D"unset"
where device_rule started a= s
=09allow id 8087:0024 serial "" name "" hash "Zx7v0FMQEjScKSAFE= NAiobEs1OGPPB0YWR+yXDCVE04=3D" parent-hash "WHBTxNaEoMGNSNc31KpFNSAeFF4HbLM= QgSBqORlC6S8=3D" via-port "2-1" with-interface 09:00:00

I have a number of questions
- What is the best recommendat= ion I can make in a bug report I'd like to raise so that the auparse librar= y can reliably interpret all their key's values?
- Should I also = request they actually provide hostname and addr values to audit_log_user_me= ssage()?
- If one want them to identify the user who participates= in the activity what is the best recommendation to make in terms of keys i= n the message?

Thanks in advance

--=-6P945k8CNSKmQjWcnQj7-- --===============7102869487060044956== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7102869487060044956==--