Auditd module is not converting process arg hexadecimal to ASCII

LucianoHanna · November 28, 2022, 6:12am

Hi!

I am getting "6563686F205C226172672068657820656E636F6465645C22" where should be "echo "arg hex encoded"".

It's a problem with my configuration or it's a problem with auditd module?

P.S.: I have tested with ausearch and it shows correctly

Original auditd log:

type=EXECVE msg=audit(1669615313.901:5538): argc=3 a0="sh" a1="-c" a2=6563686F205C226172672068657820656E636F6465645C22

log.json:

{
  "_index": ".ds-logs-auditd.log-default-2022.11.28-000001",
  "_id": "gozUvIQBU0dAtaoQAJWa",
  "_score": 1,
  "fields": {
    "elastic_agent.version": [
      "8.5.1"
    ],
    "host.os.name.text": [
      "Ubuntu"
    ],
    "host.hostname": [
      "servidor-web-teste"
    ],
    "host.mac": [
      "08-00-27-70-61-5E"
    ],
    "host.ip": [
      "192.168.1.101",
      "fe80::a00:27ff:fe70:615e"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "sh"
    ],
    "event.module": [
      "auditd"
    ],
    "host.os.version": [
      "20.04.2 LTS (Focal Fossa)"
    ],
    "host.os.kernel": [
      "5.4.0-99-generic"
    ],
    "host.os.name": [
      "Ubuntu"
    ],
    "agent.name": [
      "servidor-web-teste"
    ],
    "host.name": [
      "servidor-web-teste"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "event.agent_id_status": [
      "auth_metadata_missing"
    ],
    "host.id": [
      "f1c86fdc6a354beab2b3464b07325c94"
    ],
    "event.kind": [
      "event"
    ],
    "process.executable": [
      "sh"
    ],
    "host.os.type": [
      "linux"
    ],
    "process.args_count": [
      3
    ],
    "elastic_agent.id": [
      "e17a78c8-2a44-4c59-9c5e-fa14c8fd3294"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "host.os.codename": [
      "focal"
    ],
    "process.args": [
      "sh",
      "-c",
      "6563686F205C226172672068657820656E636F6465645C22"
    ],
    "input.type": [
      "log"
    ],
    "log.offset": [
      4802352
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "auditd-log"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.action": [
      "execve"
    ],
    "event.ingested": [
      "2022-11-28T06:02:01Z"
    ],
    "@timestamp": [
      "2022-11-28T06:01:53.901Z"
    ],
    "agent.id": [
      "e17a78c8-2a44-4c59-9c5e-fa14c8fd3294"
    ],
    "host.containerized": [
      false
    ],
    "ecs.version": [
      "8.5.0"
    ],
    "host.os.platform": [
      "ubuntu"
    ],
    "data_stream.dataset": [
      "auditd.log"
    ],
    "log.file.path": [
      "/var/log/audit/audit.log"
    ],
    "auditd.log.sequence": [
      5538
    ],
    "agent.ephemeral_id": [
      "54140a4f-4010-4a61-a7dc-33b0088979b8"
    ],
    "agent.version": [
      "8.5.1"
    ],
    "host.os.family": [
      "debian"
    ],
    "event.dataset": [
      "auditd.log"
    ]
  }
}

system · December 26, 2022, 8:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.