lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 2 Apr 2014 14:52:50 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	Eric Paris <eparis@...hat.com>, Steve Grubb <sgrubb@...hat.com>,
	linux-audit@...hat.com, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-ima-user <linux-ima-user@...ts.sourceforge.net>
Subject: oraphaned keywords in audit log text [was: Re: [PATCH] integrity:
 get comm using lock to avoid race in string] printing

On 14/04/02, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote: 
> > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > > > Hello Mimi,
> > > > 
> > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > > Pass commname via get_task_comm()".
> > > > 
> > > > While I was looking at Richard's patch, I noticed a few places where cause and 
> > > > op are logged and the string isn't tied together with a _ or -. These are in 
> > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > > > these fixed upstream? Or should a patch be made?
> > > 
> > > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> > > making the changes in integrity_audit.c: integrity_audit_msg().

That function could massage incoming text fields and convert spaces to
hyphens or underscores, but I'd assume the right place to do it would be
in the original text.  If you suggest the former, it could just be done
in audit_log_string(), but then grepping the source for error messages
would not be nearly as useful.  Is this what you were suggesting?

> > The question is actually, do you know of anyone who is expecting the
> > space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> > it.  If so, we'll discuss more   :)
> 
> CC'ing linux-ima-user as well.

Thanks.

> Mimi

- RGB

--
Richard Guy Briggs <rbriggs@...hat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ