Re: [systemd-devel] parsing audit messages
On Thu, Apr 02, 2015 at 11:01:08AM +0200, Lennart Poettering wrote: On Thu, 26.03.15 13:56, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: On Thu, Mar 26, 2015 at 09:42:45AM +0100, Lennart Poettering wrote: On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. I think we should also translate type= to names... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html Well, we don't translate MESSAGE_ID fields to strings either... Here the mapping is stable, and maintained in one place... I think it's more like dns TYPE field, completely reversible, then MESSAGE_IDs. I think generating a translation table automatically from the headers like we do for input keys should be OK. Attached patches do that, please have a look. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
On Thu, 26.03.15 13:56, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: On Thu, Mar 26, 2015 at 09:42:45AM +0100, Lennart Poettering wrote: On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. I think we should also translate type= to names... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html Well, we don't translate MESSAGE_ID fields to strings either... Here the mapping is stable, and maintained in one place... I think it's more like dns TYPE field, completely reversible, then MESSAGE_IDs. I think generating a translation table automatically from the headers like we do for input keys should be OK. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. I think we should also translate type= to names... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html Well, we don't translate MESSAGE_ID fields to strings either... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
On Sun, 15.03.15 03:49, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. Thoughts? Well msg= is just where they place the userspace message, if it is a userspace generated message. It is little more than a separator between the kernel generated and userspace generated parts of the message. The userspace message is generally not more or less human readable than the whole message I fear... I am all for making the audit parsing logic smarter, but I don't see how that's possible, the kernel generated format is a complete disaster, the people who wrote that had no concept at all of computer security, and its' impossible to parse fully correctly without heuristics. For example, if we encounter 2proctitle=41 in the message, we simply don't know whether this is actually a process called 41, or just the hex encoded process name A... The formatting is not reversible. It's complete rubbish. It's an embarassment for the kernel community that a technology like audit -- that is supposed to improve security -- is so vulnerable to the most trivial script-kiddy attacks! I am not sure we can do much about this really... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
On Thu, Mar 26, 2015 at 09:42:45AM +0100, Lennart Poettering wrote: On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. I think we should also translate type= to names... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html Well, we don't translate MESSAGE_ID fields to strings either... Here the mapping is stable, and maintained in one place... I think it's more like dns TYPE field, completely reversible, then MESSAGE_IDs. I see your point about the format being too messy to parse reliably. OTOH, currently, what we log is much harder to use than the standard audit logs. Dunno. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
Hi On Sun, Mar 15, 2015 at 3:49 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. Audit messages cannot be parsed reliably. They don't do escaping and it's really a big mess. I'm not saying we shouldn't try it, but just as a heads-up, this might cause some troubles. Thanks David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
On Mon, Mar 16, 2015 at 06:33:39PM +0100, David Herrmann wrote: Hi On Sun, Mar 15, 2015 at 3:49 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. Audit messages cannot be parsed reliably. They don't do escaping and it's really a big mess. I'm not saying we shouldn't try it, but just as a heads-up, this might cause some troubles. Lennart already implemented parsing. I'm sure it's not perfect, but it doesn't really have to be. If we can parse the most common messages than it would already be a big improvement. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] parsing audit messages
On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek wrote: Hi, I was looking at some debug logs, and the audit messages are semi-useless in their current undecoded form: mar 14 22:24:02 fedora22 audit[1]: audit-1130 pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' mar 14 22:24:05 fedora22 audit: audit-1327 proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 You added code to parse this, and I think we should make use of it and put msg= field as MESSAGE=, and maybe store the original message as _AUDIT= or something. If there's no msg field, like with proctitle, print all fields that are in the message, but using our cescape, and not this hexadecimal form which is unreadable for humans. I think we should also translate type= to names... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
