All,
We're working with Docker and podman, and I'm working on parsing the audit data
we get to flag prohibited and missing command options based on STIG guidelines.
I normally extract the proctitle from the raw auditd data , but these
commands are very long with sometimes 23 or more command line parameters , and
I noticed that all of the auditd proctitle data for the lengthier commands is
being cut off at 128 characters.
I'm bringing this up for two reasons:
One, not everyone working with this data may realize that there seems to
be a character limit,
and second, if this is by chance a bug as opposed to intentional, then
I'm hoping we can get a fix cooking for it?
In the meantime, I may be able to work around this by piecing together the
full command from the "a#= " fields, but it would be much easier if proctitle
wasn't cut off after 128 chars.
Thanks, any info you can share would be much appreciated,
Karen Wieprecht
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
