Quoted argument not listed

Quoted argument not listed

[Jure Simsic]

[-- Attachment #1.1: Type: text/plain, Size: 566 bytes --]

Hi
I have a case where I need to audit some command which goes like:

cmd -a foo -b -c -query 'some query'

What I get in the audit log is:

type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-a"
argv[2]="foo" argv[3]="-b" argv[4]="-c" argv[5]="-query"
argv[6]=737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229


The argv[6] is even sometimes like 'arg,"id=123"' , I guess that doesn't
make much difference..

Is there any way to catch the quoted argument as it is and not as an
interesting longstring?

Tnx
Jure

[-- Attachment #1.2: Type: text/html, Size: 896 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Quoted argument not listed

[Steve Grubb]

On Thursday, August 19, 2010 06:54:23 am Jure Simsic wrote:
> type=EXECVE msg=audit(1282117611.037:27469599): argv[0]="cmd" argv[1]="-a"
> argv[2]="foo" argv[3]="-b" argv[4]="-c" argv[5]="-query"
> argv[6]=737472626567696E73287468726561645F69642C227468726561645F69643D32333
> 639383932662229
> 
> The argv[6] is even sometimes like 'arg,"id=123"' , I guess that doesn't
> make much difference..
> 
> Is there any way to catch the quoted argument as it is and not as an
> interesting longstring?

No. Its like this for a reason. The space is the field delimiter. Also the 
quote character has special meaning. So, if the text has one of these in it, 
it must be encoded so that it won't fool the parsers. All audit tools, 
libraries, know how to handle the encoding. Your string is this:

type=EXECVE msg=audit(08/18/2010 03:46:51.037:27469599) : argv[0]=cmd 
argv[1]=-a argv[2]=foo argv[3]=-b argv[4]=-c argv[5]=-query 
argv[6]=strbegins(thread_id,"thread_id=2369892f") 

Its there, you just need to access it via interpretation.

-Steve