Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC][PATCH] collect security labels on user processes generating audit messages
From: Linda Knippers <linda.knippers_at_hp.com>
Date: Wed, 15 Feb 2006 12:17:56 -0500
>>Amy submitted a patch a while back to eliminate the "name=" field >>to avoid "name=(null)" from the audit records if there was no name >>but I don't think the patch went anywhere. > > > Right. I want all audit fields to have name=value. If we have %s in the > message and pass NULL to it, snprintf is already going to put "(null)" so > what's wrong with just using this precedent? The problem is that "(null)" is a valid file name. [ljk@cert-e2 ~]$ touch "(null)" [ljk@cert-e2 ~]$ ls -l "(null)" -rw-rw-r-- 1 ljk ljk 0 Feb 17 11:14 (null) When I look at audit records generated by those commands I see records like this:
type=SYSCALL msg=audit(1140192875.311:3789): arch=c000003e syscall=132
success=yes exit=0 a0=7fbffffc51 a1=0 a2=1b6 a3=0 items=1 pid=2116
auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501
fsgid=501 comm="touch" exe="/bin/touch"
How can I tell from the audit records that the file name was "(null)" vs. having "(null)" manufactured by the audit system?
> >>It looks like there's a new case (for tty) where "(none)" is used. > > > Yes for the same reason. > > > >>It would be nice to avoid having this in the audit records, especially >>in this case where the value might never be set on a particular system. > > > It creates parsing problems without a value. If I saw "tty=" and that's all, > I'd think the audit system malfunctioned and file a bugzilla. I don't want > that. > > -Steve > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 15 Feb 2006 - 12:20:19 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |