Quoted argument not listed
Steve Grubb
sgrubb at redhat.com
Thu Aug 19 12:37:29 UTC 2010
On Thursday, August 19, 2010 06:54:23 am Jure Simsic wrote:
> type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-a"
> argv[2]="foo" argv[3]="-b" argv[4]="-c" argv[5]="-query"
> argv[6]=737472626567696E73287468726561645F69642C227468726561645F69643D32333
> 639383932662229
>
> The argv[6] is even sometimes like 'arg,"id=123"' , I guess that doesn't
> make much difference..
>
> Is there any way to catch the quoted argument as it is and not as an
> interesting longstring?
No. Its like this for a reason. The space is the field delimiter. Also the
quote character has special meaning. So, if the text has one of these in it,
it must be encoded so that it won't fool the parsers. All audit tools,
libraries, know how to handle the encoding. Your string is this:
type=EXECVE msg=audit(08/18/2010 03:46:51.037:27469599) : argv[0]=cmd
argv[1]=-a argv[2]=foo argv[3]=-b argv[4]=-c argv[5]=-query
argv[6]=strbegins(thread_id,"thread_id=2369892f")
Its there, you just need to access it via interpretation.
-Steve
More information about the Linux-audit
mailing list