You don't always need local access, I look at a lot of logs from systems I don't have access too, and I just decode them using python. I use the snippet from here to do it: http://stackoverflow.com/questions/9641440/convert-from-ascii-string-encoded-in-hex-to-plain-ascii
It might not be ideal, I have simple needs. IIUC, ausearch also takes input from stdin, so you could cat raw log data you collected and use it on the other machine. I have some vague recollection of doing this years ago for Android, and it all worked as advertised. On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <[email protected]> wrote: > Hello, > > On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote: >> Is there an option within auditd to set whether commands are stored as hex >> vs ASCII? > > No. > >> With the prevalence of SIEM these days, seems easier to keep the commands >> as ASCII and not presume a person needs to have access to a local system to >> run ausearch. >> >> Have gone through the documentation but didn't see an answer. > > This is a design decision from way back around 2005. The problem is that a > user can control certain things. If they want to evade detection or throw off > naive analysis, then the can do log injection attacks by using spaces, legal > field names, and carriage returns in fields controlled by the user. Simple > parsers will be tricked. > > There is some work currently going on wrt formatting output differently. In a > way I'd rather see some plugins created using libauparse that presents the > information to the siem in a format that it won't naively parse. > > -Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Respectfully, William C Roberts -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
