Hello,
On Friday, January 31, 2020 4:58:18 PM EST Burn Alting wrote:
Currently when the USB management framework, usbguard (
https://github.com/USBGuard/usbguard), is building it's key-value pairs
prior to calling audit_log_user_message() with a AUDIT_USER_DEVICE type,
it looks at each value and decides to hex encode the value if any
character in the value matches the expression (str[i] == '"' || str[i]
<
0x21 || str[i] == 0x7F).
It should be calling audit_value_needs_encoding().
This can be found in
https://github.com/USBGuard/usbguard/blob/master/src/Daemon/LinuxAuditBack
end.cpp where it makes the call
audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, message.c_str(),
/*hostname=*/nullptr, /*addr=*/nullptr, /*tty=*/nullptr, result);
As a result, one sees audit events such as
<snip>
I have a number of questions
- What is the best recommendation I can make in a bug report I'd like to
raise so that the auparse library can reliably interpret all their key's
values?
If its a field that is knowingly going to be user controlled, then it has to
follow the convention shown here:
https://github.com/linux-audit/audit-userspace/blob/master/lib/
audit_logging.c#L196
Notably, the "else" branch includes double quotes.
- Should I also request they actually provide hostname and addr
values to audit_log_user_message()?
This should be covered by auditd.conf, name_format.
- If one want them to identify the user who participates in the
activity
what is the best recommendation to make in terms of keys in the message?
There is no way to associate a user to a device being plugged in. What if no
one is logged in? For example a "janitor" walks by a system at night and
plugs in a usb cactus or evil crow. And then sometimes a system permanently
has a usb device connected and the event is seen during boot before people
log in.
-Steve