On 2019-11-19 17:24, Tim Galyean wrote:
Hello,
As I understand it, long values recorded by auditd are stored as hex encoded strings.
However, when I attempt to decode arguments such as a0 or a1 in SYSCALL events, they are
decoded into special characters instead of ASCII. Are these values encoded differently
than PROCTITLE events?
They are unsigned long long integers printed in hexadecimal, which is
the pointer size on 64-bit architectures. These are pointers to the
memory location containing the string, so we don't actually have the
string value.
Below is an example log line:
type=SYSCALL msg=audit(1574182099.559:2002): arch=c000003e syscall=59 success=yes exit=0
a0=55df330a3c10 a1=55df330a3c78 a2=55df330a3c90 a3=0 items=3 ppid=29664 pid=29678
auid=1171 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=170
comm="apt-check" exe="/usr/bin/python3.5" key="rootcmd"
In this example, I am looking to decode a0, a1, and a2. Yes, it seems that ausearch can
decode these values. However, I am looking to decode them via Splunk. What format are
these strings encoded in and is there a way to decode these values in any other way other
than by using ausearch?
My understanding is that ausearch does not have access to the original
strings to decode them. The kernel does have access to the full string
at the time of the generation of the message, but does not include it in
the record format due to the lack of knowledge of every syscall format
to know which ones to decode and due to netlink bandwidth and disk
storage limits.
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635