Thanks for the responses so far
On Tuesday, October 4, 2016, William Roberts <bill.c.roberts(a)gmail.com>
wrote:
You don't always need local access, I look at a lot of logs from
systems I
don't
have access too, and I just decode them using python. I use the snippet
from here to do it:
http://stackoverflow.com/questions/9641440/convert-
from-ascii-string-encoded-in-hex-to-plain-ascii
It might not be ideal, I have simple needs. IIUC, ausearch also takes
input from stdin, so you
could cat raw log data you collected and use it on the other machine.
I have some vague
recollection of doing this years ago for Android, and it all worked as
advertised.
On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <sgrubb(a)redhat.com
<javascript:;>> wrote:
> Hello,
>
> On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
>> Is there an option within auditd to set whether commands are stored as
hex
>> vs ASCII?
>
> No.
>
>> With the prevalence of SIEM these days, seems easier to keep the
commands
>> as ASCII and not presume a person needs to have access to a local
system to
>> run ausearch.
>>
>> Have gone through the documentation but didn't see an answer.
>
> This is a design decision from way back around 2005. The problem is that
a
> user can control certain things. If they want to evade detection or
throw off
> naive analysis, then the can do log injection attacks by using spaces,
legal
> field names, and carriage returns in fields controlled by the user.
Simple
> parsers will be tricked.
>
> There is some work currently going on wrt formatting output differently.
In a
> way I'd rather see some plugins created using libauparse that presents
the
> information to the siem in a format that it won't naively parse.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com <javascript:;>
>
https://www.redhat.com/mailman/listinfo/linux-audit
--
Respectfully,
William C Roberts