Problems with command args
Smith, Gary R
gary.smith at pnl.gov
Thu Sep 16 17:03:18 UTC 2010
Hi Jure,
Presuming you've captured the audit records you're interested in a file named snorf, you could do something like this:
cat snorf | awk -F\= '{print $8 "0A"}' | xxd -r -p
In the example you had in the email, arg4 turns out to be: strbegins(thread_id,"thread_id=2369892f")
Best regards,
Gary Smith
From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] On Behalf Of Jure Simsic
Sent: Thursday, September 16, 2010 12:47 AM
To: linux-audit at redhat.com
Subject: Problems with command args
Hi
I need to audit some specific commands which have the following form
cmd -arg1 -arg2 -query 'some query("args")'
In audit log I get a record like:
type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-arg1" argv[2]="-arg2" argv[3]="-query" argv[4]=737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229
Now, I'd really need to get the last query argument in an understandable form. Is this possible or is this the way it is and I can't do it?
Thanks
Jure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100916/1c01cf76/attachment.htm>
More information about the Linux-audit
mailing list