Re: strange arguments in some EXEC audit events
On Mon, 2009-03-02 at 15:17 +0100, Nikola Ciprich wrote:
Hello,
I'd like to ask about one thing regarding audit I don't understand:
We are running auditd configured to log some syscalls (ie exec) and everything works
fine, but quite often we're getting
some strange records:
type=SYSCALL msg=audit(1236001721.608:55239): arch=c000003e syscall=59 success=yes exit=0
a0=7f1407a74653 a1=7fff1088d710 a2=12cf580 a3=7f1408884770 items=2 ppid=20278 pid=23246
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=25
comm="sh" exe="/bin/bash" subj=kernel key=(null)
type=EXECVE msg=audit(1236001721.608:55239): argc=3 a0="sh" a1="-c"
a2=66696C65202D4C202F7661722F6C6F672F61756469742F61756469742E6C6F6720323E2F6465762F6E756C6C
type=CWD msg=audit(1236001721.608:55239): cwd="/var/log/audit"
type=PATH msg=audit(1236001721.608:55239): item=0 name="/bin/sh" inode=97403
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
type=PATH msg=audit(1236001721.608:55239): item=1 name=(null) inode=63681 dev=08:01
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
type=SYSCALL msg=audit(1236001721.609:55240): arch=c000003e syscall=59 success=yes exit=0
a0=11ee410 a1=11ee9d0 a2=11ed260 a3=0 items=2 ppid=23246 pid=23247 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=25 comm="file"
exe="/usr/bin/file" subj=kernel key=(null)
I'm not sure what
"66696C65202D4C202F7661722F6C6F672F61756469742F61756469742E6C6F6720323E2F6465762F6E756C6C"
argument might be, is it somehow encoded string? It seems to remain unchanged across
multiple events...
Could somebody shed some light on it for me?
Thanks a lot in advance!
It's a hex representation of the actual bits sent to audit. In this
case it is a string which contains the space character. Since we don't
really trust use strings when they contain non-letters we encode it like
this. This translates to "file -L /var/log/audit/audit.log 2>/dev/null"
http://www.dolcevie.com/js/converter.html does a nice easy conversion...