Re: [PATCH] TaskTracker : Simplified thread information tracker.
Hello,
On Sun, 28 Sep 2014 00:13:14 +0900
Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> wrote:
Steve Grubb wrote:
> On Sat, 27 Sep 2014 10:02:44 +0900
> Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> wrote:
>
> > May I continue proposing this functionality?
>
> From the audit perspective, sure. I think we were expecting a
> revised patch after the comments. Other groups may have different
> thoughts, though.
>
> -Steve
OK, thank you. Before posting a revised patch, can I hear answers
about specification questions listed below?
Sure.
(Q1) Where can I find which bytes in $value need to be escaped when
emitting a record like name='$value' ?
I have written a specification that describes how to write well formed
audit events to help with questions like this. You can find it here:
http://people.redhat.com/sgrubb/audit/audit-events.txt
If you know that a field is under user control, it must be escaped so
that they cannot try to trick the parser.
Is 0x20 in $value permitted?
No. That is the separator between fields, so it cannot be allowed. What
we suggest is to use a dash or hyphen between if you are logging a
phrase that cannot be altered by the user. For example, you may have an
op field saying it deleted a rule. You would do it as op=rule-deleted.
However, we do not suggest that for user controlled fields. Just escape
it by calling audit_log_untrustedstring() if in the kernel. There are
examples in the page I mention above.
(Q2) Does auxiliary record work with only type=SYSCALL case?
Auxiliary records compliment a syscall record by adding extra
information. PATH, IPC, CWD, and EXECVE are some examples. They get
emitted in audit_log_exit() if you wanted to look at them in more
detail.
HTH...
-Steve