All,

 

We’re working with Docker and podman, and I’m working on parsing the audit data we get to flag prohibited and missing command options based on STIG guidelines.   I normally extract the proctitle from the raw auditd data , but these commands are very long with sometimes 23 or more command line parameters ,  and I noticed that all of the auditd proctitle data for the lengthier commands is being cut off at 128 characters.

 

I’m bringing this up  for two reasons:  

 

     One,  not everyone working with this data may realize that there seems to be a character limit, 

     and second, if this is by chance a bug as opposed to intentional,  then I’m hoping we can get a fix cooking for it?

 

In the meantime,  I may be able to work around this by piecing together the full command from the “a#= “  fields, but it would be much easier if proctitle wasn’t cut off after 128 chars. 

 

Thanks, any info you can share would be much appreciated,

 

Karen Wieprecht