On Fri, 21 Apr 2006 09:20:10 EDT, Steve Grubb said:
To give some background...we have this open bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168285
It was agreed last summer that this would be useful for people. It has nothing
to do with CAPP certification, so it was put on the back burner. No one had
the time to complete it until now. What the patch does is collect the string
arguments to execve and logs them as an auxiliary record. It was also put
onto linux-audit mail list as a proposal, item #1 here:
https://www.redhat.com/archives/linux-audit/2005-September/msg00061.html
Does this allow an attacker to DoS the audit log by creating a fork/exec loop
intentionally invoking a totally duff binary, but that includes a very long argument?
Maybe a "first 32/64 bytes of each argument" limit is needed? Or is there one
there and I missed it?