Question about the a[[:digit:]+]\[.*\] fields
Mateusz Piotrowski
0mp at FreeBSD.org
Mon Aug 1 15:13:19 UTC 2016
On 01 Aug 2016, at 16:46, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>
>> According to the field dictionary[1] there are fields which names are
>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>
>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>> doesn't fit the regex which seems to require a pair of square brackets (so
>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>> Linux Audit source code.
>
> I think you have to have aurguments that are larger than the audit record
> limit and so many arguments that you have multiple execve records to contain
> them all.
>
> Here's one reference:
> https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
Thanks.
>> My questions are:
>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>> doesn't apply anymore?
>
> Possibly. But try to generate it and see.
Sure, I'll notify you if I manage to get one.
>> 2. Could you suggest me where to look to see how those arguments to the
>> execve syscall are handled?
>
> Handled where? Kernel? Userspace doesn't do much with any execve argument
> except decode it.
Yeah, that's what I was trying to find - how this regex is handled in auparse/interpret.c[2].
We can see how "a0" is handled for example[3] but I couldn't find anything about "a4[foo]".
>> 3. Could you post an example of a record with a field which fits the regex
>> (assuming the regex is valid)?
>
> The archive link above explains what was going to be added. Offhand I don't
> have one of these laying around in my logs. This test might create one for
> you:
>
> https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve
Thanks a lot.
>> [1]:
>> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
>> /field-dictionary.csv#L3 [2]:
>> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
Cheers,
-m
[2]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c
[3]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c#L2805
More information about the Linux-audit
mailing list