From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Quoted argument not listed Date: Thu, 19 Aug 2010 08:37:29 -0400 Message-ID: <201008190837.29569.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, August 19, 2010 06:54:23 am Jure Simsic wrote: > type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-a" > argv[2]="foo" argv[3]="-b" argv[4]="-c" argv[5]="-query" > argv[6]=737472626567696E73287468726561645F69642C227468726561645F69643D32333 > 639383932662229 > > The argv[6] is even sometimes like 'arg,"id=123"' , I guess that doesn't > make much difference.. > > Is there any way to catch the quoted argument as it is and not as an > interesting longstring? No. Its like this for a reason. The space is the field delimiter. Also the quote character has special meaning. So, if the text has one of these in it, it must be encoded so that it won't fool the parsers. All audit tools, libraries, know how to handle the encoding. Your string is this: type=EXECVE msg=audit(08/18/2010 03:46:51.037:27469599) : argv[0]=cmd argv[1]=-a argv[2]=foo argv[3]=-b argv[4]=-c argv[5]=-query argv[6]=strbegins(thread_id,"thread_id=2369892f") Its there, you just need to access it via interpretation. -Steve