On Fri, Jul 15, 2016 at 2:54 PM, Steve Grubb <sgr...@redhat.com> wrote: > On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote: >> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits >> From: Paul Moore <p...@paul-moore.com> >> To: william.c.robe...@intel.com >> CC: seli...@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, Stephen Smalley >> <s...@tycho.nsa.gov>, Me, linux-au...@redhat.com Date: Yesterday 6:17 PM >> >> On Thu, Jul 14, 2016 at 3:29 PM, <william.c.robe...@intel.com> wrote: >> > From: William Roberts <william.c.robe...@intel.com> >> > >> > ioctlcmd is currently printing hex numbers, but their is no leading >> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is >> > not evident. >> > >> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes >> > ioctlcmd=0x1234. >> > >> > Signed-off-by: William Roberts <william.c.robe...@intel.com> >> > --- >> > security/lsm_audit.c | 2 +- >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> >> NOTE: adding Steve Grubb and the audit mailing list to the CC line >> >> Like it or not, I believe the general standard/convention when it >> comes to things like this is to leave off the "0x" prefix; the idea >> being that is saves precious space in the audit logs and the value is >> only ever going to be in hex anyway. > > We normally like the 0x prefix on anything that is hex so that stroul can > figure > it out itself. And since AVC's should in theory be rare or occassional, log > space is not a concern. > > That said, what is this ioctlcmd field name? Is this the ioctl number? As in > syscall arg a1? If so, it should be hooked up to the interpretation for that. > > Also, we have a field dictionary with some basic info about each field used in > audit events: > > http://people.redhat.com/sgrubb/audit/field-dictionary.txt
Correction, that file now lives at the link below, the file on Steve's people page is deprecated. https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv > This is important so that people don't make up new ones that do the same > thing. The ioctlcmd field name should be recorded. Are there more that need > documenting? Steve/William, one of you want to send a patch/PR for the field dictionary? -- paul moore security @ redhat _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.