Re: Format of EXECVE
On Monday 17 September 2007 12:50:16 Matthew Booth wrote:
Firstly, on RHEL4 U5, I've noticed that if an argument has spaces
in it,
it won't be pretty printed in the EXECVE record. Is that a feature?
Yes. Any field originating in something that a user can alter is escaped when
one of several characters is found in the field.
Secondly, I noticed that the sequence of messages is:
SYSCALL
EXECVE
CWD
PATH
I'm considering expanding argv[0] of EXECVE to be an absolute path.
However, that would mean either buffering things or moving EXECVE after
the PATH record. Would that break any contract, or reasonable
expectations that anyone's aware of?
They come out in the order the kernel creates them. I don't think anything in
the audit package cares about that ordering. It buffers an event at a time in
ausearch and aureport.
-Steve