Format of EXECVE
Steve Grubb
sgrubb at redhat.com
Mon Sep 17 18:07:52 UTC 2007
On Monday 17 September 2007 12:50:16 Matthew Booth wrote:
> Firstly, on RHEL4 U5, I've noticed that if an argument has spaces in it,
> it won't be pretty printed in the EXECVE record. Is that a feature?
Yes. Any field originating in something that a user can alter is escaped when
one of several characters is found in the field.
> Secondly, I noticed that the sequence of messages is:
> SYSCALL
> EXECVE
> CWD
> PATH
>
> I'm considering expanding argv[0] of EXECVE to be an absolute path.
> However, that would mean either buffering things or moving EXECVE after
> the PATH record. Would that break any contract, or reasonable
> expectations that anyone's aware of?
They come out in the order the kernel creates them. I don't think anything in
the audit package cares about that ordering. It buffers an event at a time in
ausearch and aureport.
-Steve
More information about the Linux-audit
mailing list