How to decode HEX strings in audit logs?

Wed 09 December 2015 in SELinux

When a record in audit log contains a white space, it's encoded to HEX string, e.g.:

type=PROCTITLE msg=audit(1449583261.740:1899): proctitle=2F7573722F62696E2F7065726C002F7573722F73686172652F617773746174732F777777726F6F742F6367692D62696E2F617773746174732E706C002D757064617465002D636F6E6669673D68756C6B2E6C6F63616C002D636F6E6669676469723D2F6574632F61777374617473

This string can be simply decoded using a python script:

$ python -c 'import binascii; print binascii.a2b_hex("2F7573722F62696E2F7065726C002F7573722F73686172652F617773746174732F777777726F6F742F6367692D62696E2F617773746174732E706C002D757064617465002D636F6E6669673D68756C6B2E6C6F63616C002D636F6E6669676469723D2F6574632F61777374617473")'
/usr/bin/perl/usr/share/awstats/wwwroot/cgi-bin/awstats.pl-update-config=hulk.local-configdir=/etc/awstats

If you use ausearch tool, you can use -i option to interpret numeric entities into text, e.g.:

ausearch -m avc -i
...
type=PROCTITLE msg=audit(12/09/2015 20:01:01.798:2356) : proctitle=/usr/bin/perl /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -update -config=hulk.local -configdir=/etc/awstats

type=PATH msg=audit(12/09/2015 20:01:01.798:2356) : item=1 name=/tmp/awstats.hulk.local.lock inode=4383662 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=DELETE

How to decode HEX strings in audit logs?

Receive Updates