Hi Jure,
Presuming you've captured the audit records you're interested in a file named
snorf, you could do something like this:
cat snorf | awk -F\= '{print $8 "0A"}' | xxd -r -p
In the example you had in the email, arg4 turns out to be:
strbegins(thread_id,"thread_id=2369892f")
Best regards,
Gary Smith
From: [email protected] [mailto:[email protected]] On
Behalf Of Jure Simsic
Sent: Thursday, September 16, 2010 12:47 AM
To: [email protected]
Subject: Problems with command args
Hi
I need to audit some specific commands which have the following form
cmd -arg1 -arg2 -query 'some query("args")'
In audit log I get a record like:
type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-arg1"
argv[2]="-arg2" argv[3]="-query"
argv[4]=737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229
Now, I'd really need to get the last query argument in an understandable form.
Is this possible or is this the way it is and I can't do it?
Thanks
Jure
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
