[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: commands in hex vs ASCII



You don't always need local access, I look at a lot of logs from systems I don't
have access too, and I just decode them using python. I use the snippet
from here to do it:
http://stackoverflow.com/questions/9641440/convert-from-ascii-string-encoded-in-hex-to-plain-ascii

It might not be ideal, I have simple needs. IIUC, ausearch also takes
input from stdin, so you
could cat raw log data you collected and use it on the other machine.
I have some vague
recollection of doing this years ago for Android, and it all worked as
advertised.



On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <sgrubb redhat com> wrote:
> Hello,
>
> On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
>> Is there an option within auditd to set whether commands are stored as hex
>> vs ASCII?
>
> No.
>
>> With the prevalence of SIEM these days, seems easier to keep the commands
>> as ASCII and not presume a person needs to have access to a local system to
>> run ausearch.
>>
>> Have gone through the documentation but didn't see an answer.
>
> This is a design decision from way back around 2005. The problem is that a
> user can control certain things. If they want to evade detection or throw off
> naive analysis, then the can do log injection attacks by using spaces, legal
> field names, and carriage returns in fields controlled by the user. Simple
> parsers will be tricked.
>
> There is some work currently going on wrt formatting output differently. In a
> way I'd rather see some plugins created using libauparse that presents the
> information to the siem in a format that it won't naively parse.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Respectfully,

William C Roberts


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]