Re: commands in hex vs ASCII

Tuesday, 4 October 2016

You don't always need local access, I look at a lot of logs from systems I don't
have access too, and I just decode them using python. I use the snippet
from here to do it:
http://stackoverflow.com/questions/9641440/convert-from-ascii-string-enco...

It might not be ideal, I have simple needs. IIUC, ausearch also takes
input from stdin, so you
could cat raw log data you collected and use it on the other machine.
I have some vague
recollection of doing this years ago for Android, and it all worked as
advertised.

On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote:
...
 Hello,

 On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
> Is there an option within auditd to set whether commands are stored as hex
> vs ASCII?

 No.

> With the prevalence of SIEM these days, seems easier to keep the commands
> as ASCII and not presume a person needs to have access to a local system to
> run ausearch.
>
> Have gone through the documentation but didn't see an answer.

 This is a design decision from way back around 2005. The problem is that a
 user can control certain things. If they want to evade detection or throw off
 naive analysis, then the can do log injection attacks by using spaces, legal
 field names, and carriage returns in fields controlled by the user. Simple
 parsers will be tricked.

 There is some work currently going on wrt formatting output differently. In a
 way I'd rather see some plugins created using libauparse that presents the
 information to the siem in a format that it won't naively parse.

 -Steve

 --
 Linux-audit mailing list
 Linux-audit(a)redhat.com
 https://www.redhat.com/mailman/listinfo/linux-audit 

-- 
Respectfully,

William C Roberts

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: commands in hex vs ASCII