Re: Question about the a[[:digit:]+]\[.*\] fields
On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
Hello,
According to the field dictionary[1] there are fields which names are
defined by the following regex: "a[[:digit:]+]\[.*\]".
I was able to find examples of fields like "a4" and "a5" (see [2])
but it
doesn't fit the regex which seems to require a pair of square brackets (so
"a4" should be "a4[]" or "a4[foo]"). I couldn't find
any reference in the
Linux Audit source code.
I think you have to have aurguments that are larger than the audit record
limit and so many arguments that you have multiple execve records to contain
them all.
Here's one reference:
https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
My questions are:
1. Is this regex valid and up-to-date? Or is it an outdated rule which
doesn't apply anymore?
Possibly. But try to generate it and see.
2. Could you suggest me where to look to see how those arguments to
the
execve syscall are handled?
Handled where? Kernel? Userspace doesn't do much with any execve argument
except decode it.
3. Could you post an example of a record with a field which fits the
regex
(assuming the regex is valid)?
The archive link above explains what was going to be added. Offhand I don't
have one of these laying around in my logs. This test might create one for
you:
https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve
-Steve
[1]:
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
/field-dictionary.csv#L3 [2]:
https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit