Re: [PATCH] Fix acct quoting in audit_log_acct_message())

[Eric Paris]

On Tue, 2008-03-04 at 16:38 -0500, Steve Grubb wrote:
> On Tuesday 04 March 2008 16:21:01 John Dennis wrote:
> > These are the encoded audit strings in kernel 2.6.24 (Fedora):
> 
> Reorganized:
> 
> 
> Field         24              18              auparse
> a[0-9]+       X
> acct                                          X
> cmd                                           X
> comm  X               X               X
> cwd           X               X               X
> data          X
> dir           X                               X
> exe           X               X               X
> file                                          X
> key           X               X               X
> msg           X
> name  X               X               X
> new           X               X
> old           X               X
> path          X               X               X
> watch                                 X

you formatting didn't come through, but we both agree auparse doesn't
get them all (for better or worse) and 2.6.24 only adds new stuff, it
doesn't remove?

> Of these, A0-4 is probably from the execve patch. I have no idea what the 
> status of this patch is and if its upstream. I've not seen the records so 
> this would be something very new.

execve could always turn A0-infinity into hex.  And currently upstream
and RHEL5.2 kernels both can do so....

> acct & cmd is a userspace thing
> 
> data, I need to go hunt this down. I don't like the name so it will probably 
> need to change in the kernel

maybe audit tty stuff?  I don't see it in auditsc.c or audit.c (just a
guess)
> 
> msg, name collision it has to change wherever it is in the kernel

not sure what this means...  I only see msg used in one place, but it is
a great example of non-standardization which should be cleaned up....

                        if (msg_type != AUDIT_USER_TTY)
                                audit_log_format(ab, " msg='%.1024s'",
                                                 (char *)data);
                        else {  
                                int size;

                                audit_log_format(ab, " msg=");
                                size = nlmsg_len(nlh);
                                audit_log_n_untrustedstring(ab, size,
                                                            data);
                        }

The top case will surround these with '' which the bottom will surround
with ""

> new, old, these sound like bugs. They need to get fixed in the kernel

new and old are from audit config changes.  Am i really expected to
trust what came down the netlink socket from userspace was sane?  nope
nope nope.  I don't trust userspace.  Even though 10 times out of 10
these are going to be normal strings they need to remain calls to
untrusted string just in case.

> 
> file & watch are probably legacy from RHEL4 I think. It can probably be 
> deleted.

dont see them in my kernels
> 
> -Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit