Thanks for the responses so far On Tuesday, October 4, 2016, William Roberts <[email protected]> wrote:
> You don't always need local access, I look at a lot of logs from systems I > don't > have access too, and I just decode them using python. I use the snippet > from here to do it: > http://stackoverflow.com/questions/9641440/convert- > from-ascii-string-encoded-in-hex-to-plain-ascii > > It might not be ideal, I have simple needs. IIUC, ausearch also takes > input from stdin, so you > could cat raw log data you collected and use it on the other machine. > I have some vague > recollection of doing this years ago for Android, and it all worked as > advertised. > > > > On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <[email protected] > <javascript:;>> wrote: > > Hello, > > > > On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote: > >> Is there an option within auditd to set whether commands are stored as > hex > >> vs ASCII? > > > > No. > > > >> With the prevalence of SIEM these days, seems easier to keep the > commands > >> as ASCII and not presume a person needs to have access to a local > system to > >> run ausearch. > >> > >> Have gone through the documentation but didn't see an answer. > > > > This is a design decision from way back around 2005. The problem is that > a > > user can control certain things. If they want to evade detection or > throw off > > naive analysis, then the can do log injection attacks by using spaces, > legal > > field names, and carriage returns in fields controlled by the user. > Simple > > parsers will be tricked. > > > > There is some work currently going on wrt formatting output differently. > In a > > way I'd rather see some plugins created using libauparse that presents > the > > information to the siem in a format that it won't naively parse. > > > > -Steve > > > > -- > > Linux-audit mailing list > > [email protected] <javascript:;> > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > Respectfully, > > William C Roberts >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
