----- "Jure Simsic" <jure.sim...@gmail.com> wrote:
> Hi
>
> I need to audit some specific commands which have the following form
>
> cmd -arg1 -arg2 -query 'some query("args")'
>
> In audit log I get a record like:
> type=EXECVE msg=audit(1282117611.037:27469599): argv [0] ="cmd" argv [1]
> ="-arg1" argv [2] ="-arg2" argv [3] ="-query" argv [4]
> =737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229
>
>
> Now, I'd really need to get the last query argument in an understandable
> form. Is this possible or is this the way it is and I can't do it?
(ausearch -i) , at least in recent versions.
Mirek
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
