auditd execve arguments that looks like encoded data

Question

I'm logging all execve's in a sort of honey pot box and as such I try to make sense of the commands. There's many many of these, all with 'bash -c' and some long alpha numerical value not enclosed in double quotes. How can I understand what I'm really looking at?

type=EXECVE msg=audit(1425426965.480:57967): argc=3 a0="bash" a1="-c" a2=6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C
type=EXECVE msg=audit(1425510362.928:72792): argc=3 a0="bash" a1="-c" a2=6B696C6C616C6C20373737206874747064
type=EXECVE msg=audit(1425510366.832:72800): argc=3 a0="bash" a1="-c" a2=726D202D66202F746D702F68747470642A
type=EXECVE msg=audit(1425510366.832:72801): argc=3 a0="rm" a1="-f" a2="/tmp/httpd*"

The last part with httpd gives some indication but I would really like to understand exactly what's going in.

Michael · Accepted Answer · 2015-04-26T06:13:58.240

A bit late to the party, but in case it still helps you or others searching...

Linux audit logs aren't really meant to be looked at directly in the raw log file--they're meant to be viewed and analyzed using tools like "ausearch" and "aureport". Many things (including even time/date stamps) are stored in hex format, but you can tell ausearch to interpret the hex stuff, as well as translating UIDs/GIDs to names, using the "-i" option. By default, ausearch uses the file "/var/log/audit/audit.log", but you can also view a specific file with the "-if filename" option. As an example, I cut-and-pasted your specific lines to a temp file, and got the following results:

$ ausearch -if temp_audit.log -i
----
type=EXECVE msg=audit(03/03/2015 18:56:05.480:57967) : argc=3 a0=bash a1=-c a2=ls /etc/init.d | grep -E '[0-9a-z]{10}' | awk '{print $1}' | xargs killall
----
type=EXECVE msg=audit(03/04/2015 18:06:02.928:72792) : argc=3 a0=bash a1=-c a2=killall 777 httpd
----
type=EXECVE msg=audit(03/04/2015 18:06:06.832:72800) : argc=3 a0=bash a1=-c a2=rm -f /tmp/httpd*
----
type=EXECVE msg=audit(03/04/2015 18:06:06.832:72801) : argc=3 a0=rm a1=-f a2=/tmp/httpd*

score 6 · Answer 2 · edited Sep 20 '19 at 21:50

6

With auditd it encodes long arguments in HEX and can be decoded a number of ways, one of which is with xxd.

echo 6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C | xxd -r -p                
ls /etc/init.d | grep -E '[0-9a-z]{10}' | awk '{print $1}' | xargs killall

edited Sep 20 '19 at 21:50

U880D

597
7
17

answered Mar 07 '15 at 16:16

vaelen

61
3

auditd execve arguments that looks like encoded data

2 Answers2