On 2023/09/16 1:15, Wieprecht, Karen M. wrote: > All, > > We're working with Docker and podman, and I'm working on parsing the audit > data > we get to flag prohibited and missing command options based on STIG > guidelines. > I normally extract the proctitle from the raw auditd data , but these commands > are very long with sometimes 23 or more command line parameters , and I > noticed > that all of the auditd proctitle data for the lengthier commands is being cut > off > at 128 characters.
This limitation is intentional ( https://elixir.bootlin.com/linux/v6.6-rc2/source/kernel/auditsc.c#L81 ). Since each argv[]/envp[] value passed to execve() can go up to 128KB ( https://elixir.bootlin.com/linux/v6.6-rc2/source/include/uapi/linux/binfmts.h#L15 ) and number of arguments is effectively unlimited ( https://elixir.bootlin.com/linux/v6.6-rc2/source/include/uapi/linux/binfmts.h#L16 ), trying to audit full command line can exhaust storage. > > I'm bringing this up for two reasons: > > One, not everyone working with this data may realize that there seems > to be > a character limit, > and second, if this is by chance a bug as opposed to intentional, then > I'm > hoping we can get a fix cooking for it? > > In the meantime, I may be able to work around this by piecing together the > full > command from the "a#= " fields, but it would be much easier if proctitle > wasn't > cut off after 128 chars. If you can use an out-of-tree LSM, you can use execute_handler feature available in TOMOYO and CaitSith, which replaces any execve() request with a specific execve() request in order to allow userspace to examine and audit (and optionally sanitize) full command line before executing the originally requested program. https://tomoyo.osdn.jp/1.8/policy-specification/domain-policy-syntax.html.en#task_auto_execute_handler https://en.osdn.net/projects/tomoyo/scm/svn/blobs/head/trunk/1.8.x/ccs-tools/examples/env_chk.c If you think execute_handler feature is helpful for you, I can make a dedicated LSM which implements only execute_handler feature. > > Thanks, any info you can share would be much appreciated, > > Karen Wieprecht -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
