commands in hex vs ASCII
Kevin Brown
kmbrown at gmail.com
Tue Oct 4 14:13:06 UTC 2016
Thanks for the responses so far
On Tuesday, October 4, 2016, William Roberts <bill.c.roberts at gmail.com>
wrote:
> You don't always need local access, I look at a lot of logs from systems I
> don't
> have access too, and I just decode them using python. I use the snippet
> from here to do it:
> http://stackoverflow.com/questions/9641440/convert-
> from-ascii-string-encoded-in-hex-to-plain-ascii
>
> It might not be ideal, I have simple needs. IIUC, ausearch also takes
> input from stdin, so you
> could cat raw log data you collected and use it on the other machine.
> I have some vague
> recollection of doing this years ago for Android, and it all worked as
> advertised.
>
>
>
> On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <sgrubb at redhat.com
> <javascript:;>> wrote:
> > Hello,
> >
> > On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
> >> Is there an option within auditd to set whether commands are stored as
> hex
> >> vs ASCII?
> >
> > No.
> >
> >> With the prevalence of SIEM these days, seems easier to keep the
> commands
> >> as ASCII and not presume a person needs to have access to a local
> system to
> >> run ausearch.
> >>
> >> Have gone through the documentation but didn't see an answer.
> >
> > This is a design decision from way back around 2005. The problem is that
> a
> > user can control certain things. If they want to evade detection or
> throw off
> > naive analysis, then the can do log injection attacks by using spaces,
> legal
> > field names, and carriage returns in fields controlled by the user.
> Simple
> > parsers will be tricked.
> >
> > There is some work currently going on wrt formatting output differently.
> In a
> > way I'd rather see some plugins created using libauparse that presents
> the
> > information to the siem in a format that it won't naively parse.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com <javascript:;>
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
> --
> Respectfully,
>
> William C Roberts
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161004/ea65ced9/attachment.htm>
More information about the Linux-audit
mailing list