On Fri, 21 Apr 2006 16:22:35 EDT, Alexander Viro said:
On Fri, Apr 21, 2006 at 04:19:09PM -0400, Valdis.Kletnieks(a)vt.edu
wrote:
> Maybe a "first 32/64 bytes of each argument" limit is needed? Or is there
one
> there and I missed it?
You do realize that it makes e.g. any pathname arguments in effect not
logged at all - just slap 64 '/' in front of absolute pathname and you
are done.
On the other hand, the 2.6.17-rc1-mm3 kernel I'm on now has:
include/linux/limits.h:#define ARG_MAX 131072 /* # bytes of args + environ for
exec() */
which implies to me that I can blat a bit over 128K to the audit log per syscall.
With the default Fedora-rawhide auditd.conf config of:
num_logs = 4
max_log_file = 5
max_log_file_action = ROTATE
I can roll through all the logs and *effectively* make the arguments of whatever
I wanted to hide not visible with only 160 syscalls. 'man auditd.conf' says:
Space_left should be set to a number that gives the admin enough time
to react to any alert message and perform some maintenance to free up
disk space. This would typically involve running the aureport -t report
and moving the oldest logs to an archive area. The value of space_left
is site dependant since the rate at which events are generated varies
with each deployment. The space_left_action is recommended to be set to
email.
(And yes, I know if you're *serious* about this, you have action set to
'single'
or 'halt' or similar "die rather than lose records" setting. The
problem is that
when you can blow through a megabyte of logspace with only 8 syscalls, finding a
good setting for "gives enough time" becomes a lot more challenging...)
How would everybody feel about wrapping this in a CONFIG_AUDIT_ARGV, and some
Kconfig wording warning about this burning through your audit space?