Re: [patch] Syscall auditing - move "name=" field to the end
* David Woodhouse (dwmw2(a)infradead.org) wrote:
On Wed, 2005-03-16 at 14:41 -0800, Chris Wright wrote:
> * Ondrej Zary (linux(a)rainbow-software.org) wrote:
> > This patch moves the "name=" field to the end of audit records. The
> > original placement is bad because it cannot be properly parsed. It is
> > impossible to tell if the name is "/bin/true" or "/bin/true
inode=469634
> > dev=00:00" because the "inode=" and "dev=" fields can
be omitted.
Consider:
open("/bin/true\naudit(1111008484.824:89346): ...", O_RDONLY);
I don't think this patch is enough -- either we need to escape the text
completely or just dump it as hex instead of a string. One option would
be to dump it in quotes as a string if all chars in the string are in
the range 0x20-0x7e, and as hex otherwise. That slightly complicates the
parsing, but not by much, and still gives you plain text in the majority
of cases while protecting against abuse.
Yes good point. I don't have a strong preference. Steve, are you
working on processing log data, do you have a preference?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net