On Mon, Aug 8, 2016 at 8:01 AM, Mateusz Piotrowski <[email protected]> wrote: > On 07 Aug 2016, at 20:51, Paul Moore <[email protected]> wrote: > >> On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <[email protected]> wrote: >>> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote: >>>> Hello, >>>> >>>> According to the field dictionary[1] there are fields which names are >>>> defined by the following regex: "a[[:digit:]+]\[.*\]". >>>> >>>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it >>>> doesn't fit the regex which seems to require a pair of square brackets (so >>>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the >>>> Linux Audit source code. >>> >>> I think you have to have aurguments that are larger than the audit record >>> limit and so many arguments that you have multiple execve records to contain >>> them all. >> >> Sorry for the delay in responding, but yes, that is mostly correct. >> If there is an argument that spills across the boundary of a single >> EXECVE record, either due to an exceptionally large size, or little >> room remaining in the existing record, an argument length field is >> added to the record (a2_len=x) and the argument value is spilt and >> indexed (a2[0]=x ... a[n]=x). > > Could you please correct me if I am wrong? From what I understand > (based on kernel/auditsc.c:audit_log_single_execve_arg()[2]) a > correct set of fields could possibly look like this: > > a4_len=4 a4[0]=a a4[1]=n a4[2]=i a4[3]=a
That is correct, assuming that the a4_len and a4[0] field occur in one record, a[1] in a second, a[2] in a third, and so on. You should never see aX[n] and aX[n+1] in a single record, if you, it's a bug :) > as long as there are no unprintable control ascii characters (otherwise > the a4_len field's value would be 8 as every character is printed in hex). > > How about the "a[[:digit:]+]_len" fields (for example a4_len)? > Are they synonymous with the len field[1]? The len field gets used for a lot of things, but for understanding individual argument lengths, you should pay attention to the aX_len field (when present). >> The relevant code in the kernel just changed over the past few weeks >> to correct some problems, so there are some subtle differences between >> old code and what you will find in Linus' tree at the moment, but none >> of those changes should affect the regex you've described. > > I'd appreciate if you could point me to a web server where I can download > the kernel's source code you write about. I do not deal with Linux Kernel > source code on daily basis and search engines don't produce obvious results. When in doubt, Google is generally very helpful, but here is a link: * https://www.kernel.org -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
