Re: [PATCH] Fix acct quoting in audit_log_acct_message())
On Tue, 2008-03-04 at 16:38 -0500, Steve Grubb wrote:
On Tuesday 04 March 2008 16:21:01 John Dennis wrote:
> These are the encoded audit strings in kernel 2.6.24 (Fedora):
Reorganized:
Field 24 18 auparse
a[0-9]+ X
acct X
cmd X
comm X X X
cwd X X X
data X
dir X X
exe X X X
file X
key X X X
msg X
name X X X
new X X
old X X
path X X X
watch X
you formatting didn't come through, but we both agree auparse doesn't
get them all (for better or worse) and 2.6.24 only adds new stuff, it
doesn't remove?
Of these, A0-4 is probably from the execve patch. I have no idea what
the
status of this patch is and if its upstream. I've not seen the records so
this would be something very new.
execve could always turn A0-infinity into hex. And currently upstream
and RHEL5.2 kernels both can do so....
acct & cmd is a userspace thing
data, I need to go hunt this down. I don't like the name so it will probably
need to change in the kernel
maybe audit tty stuff? I don't see it in auditsc.c or audit.c (just a
guess)
msg, name collision it has to change wherever it is in the kernel
not sure what this means... I only see msg used in one place, but it is
a great example of non-standardization which should be cleaned up....
if (msg_type != AUDIT_USER_TTY)
audit_log_format(ab, " msg='%.1024s'",
(char *)data);
else {
int size;
audit_log_format(ab, " msg=");
size = nlmsg_len(nlh);
audit_log_n_untrustedstring(ab, size,
data);
}
The top case will surround these with '' which the bottom will surround
with ""
new, old, these sound like bugs. They need to get fixed in the kernel
new and old are from audit config changes. Am i really expected to
trust what came down the netlink socket from userspace was sane? nope
nope nope. I don't trust userspace. Even though 10 times out of 10
these are going to be normal strings they need to remain calls to
untrusted string just in case.
file & watch are probably legacy from RHEL4 I think. It can probably be
deleted.
dont see them in my kernels
-Steve