Re: Cooked audit log format
On Thursday 15 May 2008 06:28:15 Tony Jones wrote:
On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
> > Strings should be either always hex encoded, or always escaped
> > (preferably the latter).
>
> The issue that always dominates any thinking about the audit system is
> how to save diskspace. So, whenever a string has no naughty characters,
> we let it go as is. If the string contains something that will confuse
> the parser or do other bad things, we encode the string such that the
> parser cannot be confused. But we only do that on demand because the
> majority of strings are well-behaved.
Are you talking here about the escaping that is performed inside of auditd?
If so, IMO, this seriously needs to be reworked. The way it works (encoding
the entire string rather than just escapinng the offending characters)
doesn't make sense plus it's very inefficient in terms of implementation. I
mentioned this to you in private mail at the time of the buffer overflow
advisory. I'm happy to work on a patch but it's always possible I'm missing
some design subtlety ;-)
Before sending a patch, it has to be backwards compatible. IOW, there is no
guarantee that someone will update user space tools and run an old kernel or
use a new kernel with old tools. There's no way to enforce this and people
will expect their tools to work.
Also note that the hex string encoding is used to encode some data structures,
so you would need to be judicious in which fields use whatever encoding.
About the scheduling of such a patch, I wouldn't want to merge the patch until
the remote logging is complete. (Its the last scheduled feature of the
current development series.) After that point, I think we are at the
branching point for big changes again.
-Steve