Skip to content
This repository was archived by the owner on Apr 3, 2021. It is now read-only.

Add support for unhexing values generated by auditd #2

Open
chriscz wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add support for unhexing values generated by auditd #2

chriscz wants to merge 5 commits into from

Conversation

@chriscz
Copy link

@chriscz chriscz commented Mar 31, 2020
edited
Loading

This PR adds an optional keyword flag unhex, unhex_min_length and unhex_keys to AuditLogParser#parse which unhex's audit values. To use it, simply pass unhex:true as in
AuditLogParser.parse(lines, unhex: true)

  • unhex should unhexing be applied?
  • unhex_keys array of lower-case string keys that should be unhexed
  • unhex_min_length the minimum length of the value at which to match., useful for filtering out
    certain keys that look like they can be unhexed, but are actually too short.

Why is this necessary?
Even when the audit library on Linux is configured to use enriched logs as below

#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED

It still generates some messages that contain hexed values, for example this proctitle line:

type=PROCTITLE msg=audit(1585657021.230:27823): proctitle=2F62696E2F7368002D63002020206364202F2026262072756E2D7061727473202D2D7265706F7274202F6574632F63726F6E2E686F75726C79

By enabling unhex, you can have this be converted to the correct string value:

/bin/sh\x00-c   cd / && run-parts --report /etc/cron.hourly

@chriscz chriscz mentioned this pull request Mar 31, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chriscz