Re: Question about the a[[:digit:]+]\[.*\] fields

[Steve Grubb <sgrubb@redhat.com>]

On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
> Hello,
> 
> According to the field dictionary[1] there are fields which names are
> defined by the following regex: "a[[:digit:]+]\[.*\]".
> 
> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
> doesn't fit the regex which seems to require a pair of square brackets (so
> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
> Linux Audit source code.

I think you have to have aurguments that are larger than the audit record 
limit and so many arguments that you have multiple execve records to contain 
them all. 

Here's one reference:
https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html


> My questions are:
> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
> doesn't apply anymore? 

Possibly. But try to generate it and see.

> 2. Could you suggest me where to look to see how those arguments to the
> execve syscall are handled? 

Handled where? Kernel? Userspace doesn't do much with any execve argument 
except decode it.

> 3. Could you post an example of a record with a field which fits the regex
> (assuming the regex is valid)?

The archive link above explains what was going to be added. Offhand I don't 
have one of these laying around in my logs. This test might create one for 
you:

https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve

-Steve


> [1]:
> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
> /field-dictionary.csv#L3 [2]:
> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit