Question about the a[[:digit:]+]\[.*\] fields

Paul Moore paul at paul-moore.com
Mon Aug 8 13:03:50 UTC 2016 

On Mon, Aug 8, 2016 at 8:01 AM, Mateusz Piotrowski <0mp at freebsd.org> wrote:
> On 07 Aug 2016, at 20:51, Paul Moore <paul at paul-moore.com> wrote:
>
>> On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>>> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>>> Hello,
>>>>
>>>> According to the field dictionary[1] there are fields which names are
>>>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>>>
>>>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>>>> doesn't fit the regex which seems to require a pair of square brackets (so
>>>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>>>> Linux Audit source code.
>>>
>>> I think you have to have aurguments that are larger than the audit record
>>> limit and so many arguments that you have multiple execve records to contain
>>> them all.
>>
>> Sorry for the delay in responding, but yes, that is mostly correct.
>> If there is an argument that spills across the boundary of a single
>> EXECVE record, either due to an exceptionally large size, or little
>> room remaining in the existing record, an argument length field is
>> added to the record (a2_len=x) and the argument value is spilt and
>> indexed (a2[0]=x ... a[n]=x).
>
> Could you please correct me if I am wrong? From what I understand
> (based on kernel/auditsc.c:audit_log_single_execve_arg()[2]) a
> correct set of fields could possibly look like this:
>
>     a4_len=4 a4[0]=a a4[1]=n a4[2]=i a4[3]=a

That is correct, assuming that the a4_len and a4[0] field occur in one
record, a[1] in a second, a[2] in a third, and so on.  You should
never see aX[n] and aX[n+1] in a single record, if you, it's a bug :)

> as long as there are no unprintable control ascii characters (otherwise
> the a4_len field's value would be 8 as every character is printed in hex).
>
> How about the "a[[:digit:]+]_len" fields (for example a4_len)?
> Are they synonymous with the len field[1]?

The len field gets used for a lot of things, but for understanding
individual argument lengths, you should pay attention to the aX_len
field (when present).

>> The relevant code in the kernel just changed over the past few weeks
>> to correct some problems, so there are some subtle differences between
>> old code and what you will find in Linus' tree at the moment, but none
>> of those changes should affect the regex you've described.
>
> I'd appreciate if you could point me to a web server where I can download
> the kernel's source code you write about. I do not deal with Linux Kernel
> source code on daily basis and search engines don't produce obvious results.

When in doubt, Google is generally very helpful, but here is a link:

 * https://www.kernel.org

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list