Auditd SYSCALL argument decoding

[Tim Galyean]

Thank you both for the additional information. This would explain why I was seeing values like, a0=0x27489e8, when I was using --interpret with ausearch. 
 

On 11/19/19, 4:34 PM, "Steve Grubb" <sgrubb at redhat.com> wrote:

    [--- This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. ---]
    
    On Tue, 19 Nov 2019 17:24:21 +0000
    Tim Galyean <tgalyean at splunk.com> wrote:
    
    > Hello,
    > 
    > As I understand it, long values recorded by auditd are stored as hex
    > encoded strings. However, when I attempt to decode arguments such as
    > a0 or a1 in SYSCALL events, they are decoded into special characters
    > instead of ASCII. Are these values encoded differently than PROCTITLE
    > events?
    > 
    > Below is an example log line:
    > 
    > type=SYSCALL msg=audit(1574182099.559:2002): arch=c000003e syscall=59
    > success=yes exit=0 a0=55df330a3c10 a1=55df330a3c78 a2=55df330a3c90
    > a3=0 items=3 ppid=29664 pid=29678 auid=1171 uid=0 gid=0 euid=0 suid=0
    > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=170 comm="apt-check"
    > exe="/usr/bin/python3.5" key="rootcmd"
    > 
    > In this example, I am looking to decode a0, a1, and a2. Yes, it seems
    > that ausearch can decode these values. However, I am looking to
    > decode them via Splunk.
    
    Please have auparse decode them. This is well maintained and accurate.
    Sometimes they point to memory. Sometimes they have meaning. All of
    this is encoded in the auparse library. Let me know if you have any
    issues decoding anything via libauparse.
    
    > What format are these strings encoded in and is there a way to
    > decode these values in any other way other than by using ausearch?
    
    Libauparse is what ausearch uses. It has all knowledge encoded within
    it. It detangles intertwined events as well as normal events.
    
    -Steve