Hello, On Friday, January 31, 2020 4:58:18 PM EST Burn Alting wrote: > Currently when the USB management framework, usbguard ( > https://github.com/USBGuard/usbguard), is building it's key-value pairs > prior to calling audit_log_user_message() with a AUDIT_USER_DEVICE type, > it looks at each value and decides to hex encode the value if any > character in the value matches the expression (str[i] == '"' || str[i] < > 0x21 || str[i] == 0x7F).
It should be calling audit_value_needs_encoding(). > This can be found in > https://github.com/USBGuard/usbguard/blob/master/src/Daemon/LinuxAuditBack > end.cpp where it makes the call > > audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, message.c_str(), > /*hostname=*/nullptr, /*addr=*/nullptr, /*tty=*/nullptr, result); > > As a result, one sees audit events such as <snip> > I have a number of questions > - What is the best recommendation I can make in a bug report I'd like to > raise so that the auparse library can reliably interpret all their key's > values? If its a field that is knowingly going to be user controlled, then it has to follow the convention shown here: https://github.com/linux-audit/audit-userspace/blob/master/lib/ audit_logging.c#L196 Notably, the "else" branch includes double quotes. > - Should I also request they actually provide hostname and addr > values to audit_log_user_message()? This should be covered by auditd.conf, name_format. > - If one want them to identify the user who participates in the activity > what is the best recommendation to make in terms of keys in the message? There is no way to associate a user to a device being plugged in. What if no one is logged in? For example a "janitor" walks by a system at night and plugs in a usb cactus or evil crow. And then sometimes a system permanently has a usb device connected and the event is seen during boot before people log in. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
