Hi I have a case where I need to audit some command which goes like: cmd -a foo -b -c -query 'some query'
What I get in the audit log is: type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-a" argv[2]="foo" argv[3]="-b" argv[4]="-c" argv[5]="-query" argv[6]=737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229 The argv[6] is even sometimes like 'arg,"id=123"' , I guess that doesn't make much difference.. Is there any way to catch the quoted argument as it is and not as an interesting longstring? Tnx Jure
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
