Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PATH name is not being hex decoded #20

Closed
andrewkroh opened this issue Mar 23, 2018 · 1 comment
Closed

PATH name is not being hex decoded #20

andrewkroh opened this issue Mar 23, 2018 · 1 comment
Labels
bug good first issue

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Mar 23, 2018
edited
Loading

The name field inside of PATH type messages is not being decoded from hex.

type=PATH msg=audit(1521758453.536:1428931): item=0 name=2F73686172652F67656E6572616C2F706174685F7265646163746564 inode=1442434 dev=fc:01 mode=042775 ouid=10067 ogid=7003 rdev=00:00 nametype=NORMAL
@andrewkroh andrewkroh added the bug label Mar 23, 2018
@andrewkroh
Copy link
Member Author

andrewkroh commented Mar 23, 2018
edited
Loading

To fix this we need to add a hexDecode("name", msg.fields) to

go-libaudit/auparse/auparse.go

Lines 354 to 355 in ffe11fb

case AUDIT_PATH:
parseSELinuxContext("obj", msg.fields)

We also need to add a test case for this using the provided sample event.

andrewkroh added a commit to andrewkroh/go-libaudit that referenced this issue Mar 27, 2018
@andrewkroh
Hex decode name value in PATH record
5c9c606 
The name field (filename) contained in PATH records can be hex encoded. This updates auparse to attempt hex decoding on the field.

Fixes elastic#20
@andrewkroh andrewkroh mentioned this issue Mar 27, 2018
Merged
ruflin pushed a commit that referenced this issue Mar 28, 2018
@andrewkroh @ruflin
Hex decode name value in PATH record (#21)
08c2cb6 
The name field (filename) contained in PATH records can be hex encoded. This updates auparse to attempt hex decoding on the field.

Fixes #20
@andrewkroh andrewkroh mentioned this issue Mar 28, 2018
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 28, 2018
@andrewkroh
Add hex decoding to name field in audit path records
b57c97b 
This updates go-libaudit to v0.1.0 which contains a fix for elastic/go-libaudit#20.
ruflin pushed a commit to elastic/beats that referenced this issue Mar 30, 2018
@andrewkroh @ruflin
Add hex decoding to name field in audit path records (#6687)
3f3fb57 
This updates go-libaudit to v0.1.0 which contains a fix for elastic/go-libaudit#20.
@andrewkroh andrewkroh mentioned this issue Mar 30, 2018
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 30, 2018
@andrewkroh
Add hex decoding to name field in audit path records (elastic#6687)
61133b8 
This updates go-libaudit to v0.1.0 which contains a fix for elastic/go-libaudit#20.

(cherry picked from commit 3f3fb57)
ph pushed a commit to elastic/beats that referenced this issue Apr 2, 2018
@andrewkroh @ph
Add hex decoding to name field in audit path records (#6687) (#6724)
ddb2a66 
This updates go-libaudit to v0.1.0 which contains a fix for elastic/go-libaudit#20.

(cherry picked from commit 3f3fb57)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@andrewkroh @ph
Add hex decoding to name field in audit path records (elastic#6687) (e…
7537cee 
…lastic#6724)

This updates go-libaudit to v0.1.0 which contains a fix for elastic/go-libaudit#20.

(cherry picked from commit fd317cf)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewkroh