Re: 128 Character limit on proctitle field?
On Friday, September 15, 2023 12:15:12 PM EDT Wieprecht, Karen M. wrote:
We're working with Docker and podman, and I'm working on
parsing the audit
data we get to flag prohibited and missing command options based on STIG
guidelines. I normally extract the proctitle from the raw auditd data ,
but these commands are very long with sometimes 23 or more command line
parameters , and I noticed that all of the auditd proctitle data for the
lengthier commands is being cut off at 128 characters.
The proctitle event commit message explains why it was created:
https://listman.redhat.com/archives/linux-audit/2014-February/008778.html
The comm field is only 16 characters long. So, it tries to capture the first
128 bytes so that at least android comm fields can be deduced since they are
almost always larger than 16 bytes.
I'm bringing this up for two reasons:
One, not everyone working with this data may realize that there seems
to be a character limit, and second, if this is by chance a bug as opposed
to intentional, then I'm hoping we can get a fix cooking for it?
The record that contains all of the command line is the execve record. It has
all parameters even if it's 10,000. So, you may want to try auditing by exec
of specific applications to get everything.
Also, as mentioned in the commit, proctitle is based off of comm. This can be
controlled by user space to misdirect attention by spoof the program name.
In the meantime, I may be able to work around this by piecing
together the
full command from the "a#= " fields, but it would be much easier if
proctitle wasn't cut off after 128 chars.
Thanks, any info you can share would be much appreciated,
This was intentional. There was a long discussion of this in January and
February of 2014 if you want more background.
-Steve