From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: strange arguments in some EXEC audit events
Date: Mon, 02 Mar 2009 09:48:19 -0500
Message-ID: <1236005299.5466.7.camel@localhost.localdomain>
References: <20090302141744.GA31524@develbox.linuxbox.cz>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20090302141744.GA31524@develbox.linuxbox.cz>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Nikola Ciprich <extmaillist@linuxbox.cz>
Cc: nikola.ciprich@linuxbox.cz, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, 2009-03-02 at 15:17 +0100, Nikola Ciprich wrote:
> Hello,
> I'd like to ask about one thing regarding audit I don't understand:
> We are running auditd configured to log some syscalls (ie exec) and everything works fine, but quite often we're getting
> some strange records:
> type=SYSCALL msg=audit(1236001721.608:55239): arch=c000003e syscall=59 success=yes exit=0 a0=7f1407a74653 a1=7fff1088d710 a2=12cf580 a3=7f1408884770 items=2 ppid=20278 pid=23246 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=25 comm="sh" exe="/bin/bash" subj=kernel key=(null)
> type=EXECVE msg=audit(1236001721.608:55239): argc=3 a0="sh" a1="-c" a2=66696C65202D4C202F7661722F6C6F672F61756469742F61756469742E6C6F6720323E2F6465762F6E756C6C
> type=CWD msg=audit(1236001721.608:55239):  cwd="/var/log/audit"
> type=PATH msg=audit(1236001721.608:55239): item=0 name="/bin/sh" inode=97403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
> type=PATH msg=audit(1236001721.608:55239): item=1 name=(null) inode=63681 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
> type=SYSCALL msg=audit(1236001721.609:55240): arch=c000003e syscall=59 success=yes exit=0 a0=11ee410 a1=11ee9d0 a2=11ed260 a3=0 items=2 ppid=23246 pid=23247 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=25 comm="file" exe="/usr/bin/file" subj=kernel key=(null)
> 
> I'm not sure what "66696C65202D4C202F7661722F6C6F672F61756469742F61756469742E6C6F6720323E2F6465762F6E756C6C" argument might be, is it somehow encoded string? It seems to remain unchanged across multiple events...
> Could somebody shed some light on it for me?
> Thanks a lot in advance!

It's a hex representation of the actual bits sent to audit.  In this
case it is a string which contains the space character.  Since we don't
really trust use strings when they contain non-letters we encode it like
this.  This translates to "file -L /var/log/audit/audit.log 2>/dev/null"

http://www.dolcevie.com/js/converter.html does a nice easy conversion...