From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Kevin Brown <kmbrown@gmail.com>
Subject: Re: commands in hex vs ASCII
Date: Tue, 04 Oct 2016 10:00:04 -0400 [thread overview]
Message-ID: <3787073.SJSe6RgXKO@x2> (raw)
In-Reply-To: <CABSg6BybAjhM+QZURYN3=B=f2Qn_+BGQKtn0b0PDZFJN0fBUyg@mail.gmail.com>
Hello,
On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
> Is there an option within auditd to set whether commands are stored as hex
> vs ASCII?
No.
> With the prevalence of SIEM these days, seems easier to keep the commands
> as ASCII and not presume a person needs to have access to a local system to
> run ausearch.
>
> Have gone through the documentation but didn't see an answer.
This is a design decision from way back around 2005. The problem is that a
user can control certain things. If they want to evade detection or throw off
naive analysis, then the can do log injection attacks by using spaces, legal
field names, and carriage returns in fields controlled by the user. Simple
parsers will be tricked.
There is some work currently going on wrt formatting output differently. In a
way I'd rather see some plugins created using libauparse that presents the
information to the siem in a format that it won't naively parse.
-Steve
next prev parent reply other threads:[~2016-10-04 14:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-04 13:46 commands in hex vs ASCII Kevin Brown
2016-10-04 14:00 ` Steve Grubb [this message]
2016-10-04 14:11 ` William Roberts
2016-10-04 14:13 ` Kevin Brown
2016-10-04 21:16 ` Burn Alting
2016-10-04 21:59 ` F Rafi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3787073.SJSe6RgXKO@x2 \
--to=sgrubb@redhat.com \
--cc=kmbrown@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox