On 01 Aug 2016, at 16:46, Steve Grubb <[email protected]> wrote: > > On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote: >> >> According to the field dictionary[1] there are fields which names are >> defined by the following regex: "a[[:digit:]+]\[.*\]". >> >> I was able to find examples of fields like "a4" and "a5" (see [2]) but it >> doesn't fit the regex which seems to require a pair of square brackets (so >> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the >> Linux Audit source code. > > I think you have to have aurguments that are larger than the audit record > limit and so many arguments that you have multiple execve records to contain > them all. > > Here's one reference: > https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
Thanks. >> My questions are: >> 1. Is this regex valid and up-to-date? Or is it an outdated rule which >> doesn't apply anymore? > > Possibly. But try to generate it and see. Sure, I'll notify you if I manage to get one. >> 2. Could you suggest me where to look to see how those arguments to the >> execve syscall are handled? > > Handled where? Kernel? Userspace doesn't do much with any execve argument > except decode it. Yeah, that's what I was trying to find - how this regex is handled in auparse/interpret.c[2]. We can see how "a0" is handled for example[3] but I couldn't find anything about "a4[foo]". >> 3. Could you post an example of a record with a field which fits the regex >> (assuming the regex is valid)? > > The archive link above explains what was going to be added. Offhand I don't > have one of these laying around in my logs. This test might create one for > you: > > https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve Thanks a lot. >> [1]: >> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields >> /field-dictionary.csv#L3 [2]: >> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html Cheers, -m [2]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c [3]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c#L2805 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
