Re: Cooked audit log format
On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
> Strings should be either always hex encoded, or always escaped
> (preferably the latter).
The issue that always dominates any thinking about the audit system is how to
save diskspace. So, whenever a string has no naughty characters, we let it go
as is. If the string contains something that will confuse the parser or do
other bad things, we encode the string such that the parser cannot be
confused. But we only do that on demand because the majority of strings are
well-behaved.
Are you talking here about the escaping that is performed inside of auditd? If
so, IMO, this seriously needs to be reworked. The way it works (encoding the
entire string rather than just escapinng the offending characters) doesn't
make sense plus it's very inefficient in terms of implementation. I mentioned
this to you in private mail at the time of the buffer overflow advisory. I'm
happy to work on a patch but it's always possible I'm missing some design
subtlety ;-)
thanks!
Tony