Re: Question about the a[[:digit:]+]\[.*\] fields

On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: Sorry for the delay in responding, but yes, that is mostly correct. If there is an argument that spills across the boundary of a single EXECVE record, either due to an exceptionally large size, or little room remaining in the existing record, an argument length field is added to the record (a2_len=x) and the argument value is spilt and indexed (a2[0]=x ... a[n]=x). The relevant code in the kernel just changed over the past few weeks to correct some problems, so there are some subtle differences between old code and what you will find in Linus' tree at the moment, but none of those changes should affect the regex you've described. It is correct if the argument spills across a single EXECVE record boundary, but since the index (the number between the square brackets) is not optional it would fail for the more common, single EXECVE record case. You could also argue that the string match inside the square brackets should only match on a string of digits, but technically what is there does work. The kernel generates the EXECVE record in kernel/auditsc.c:audit_log_execve_info() and you can find a test for for the EXECVE record in the audit-testsuite (exec_execve). * https://github.com/linux-audit/audit-testsuite -- paul moore www.paul-moore.com