Hello, According to the field dictionary[1] there are fields which names are defined by the following regex: "a[[:digit:]+]\[.*\]".
I was able to find examples of fields like "a4" and "a5" (see [2]) but it doesn't fit the regex which seems to require a pair of square brackets (so "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the Linux Audit source code. My questions are: 1. Is this regex valid and up-to-date? Or is it an outdated rule which doesn't apply anymore? 2. Could you suggest me where to look to see how those arguments to the execve syscall are handled? 3. Could you post an example of a record with a field which fits the regex (assuming the regex is valid)? Cheers! -Mateusz [1]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L3 [2]: https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
