On Thursday, August 19, 2010 06:54:23 am Jure Simsic wrote: > type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-a" > argv[2]="foo" argv[3]="-b" argv[4]="-c" argv[5]="-query" > argv[6]=737472626567696E73287468726561645F69642C227468726561645F69643D32333 > 639383932662229 > > The argv[6] is even sometimes like 'arg,"id=123"' , I guess that doesn't > make much difference.. > > Is there any way to catch the quoted argument as it is and not as an > interesting longstring?
No. Its like this for a reason. The space is the field delimiter. Also the quote character has special meaning. So, if the text has one of these in it, it must be encoded so that it won't fool the parsers. All audit tools, libraries, know how to handle the encoding. Your string is this: type=EXECVE msg=audit(08/18/2010 03:46:51.037:27469599) : argv[0]=cmd argv[1]=-a argv[2]=foo argv[3]=-b argv[4]=-c argv[5]=-query argv[6]=strbegins(thread_id,"thread_id=2369892f") Its there, you just need to access it via interpretation. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
