Create auditd-execve.xml

2025-11-04 05:43:15 +00:00 · 2022-12-29 10:44:23 -06:00
parent 696f141300
commit ebf1d731c1
1 changed files with 62 additions and 0 deletions
--- a/Auditd/decoders/auditd-execve.xml
+++ b/Auditd/decoders/auditd-execve.xml
@@ -0,0 +1,62 @@
+<decoder name="auditd-execve">
+  <prematch>^type=EXECVE</prematch>
+</decoder>
+
+<!--
+type=EXECVE msg=audit(1672268062.108:138472): argc=2 a0="base64" a1="-d" a2="t" a3="chmod"
+-->
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <!--<prematch offset="after_parent">^SYSCALL </prematch>-->
+  <regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
+  <order>audit.id</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>argc=\d+ a0="(\.*)"</regex>
+  <order>audit.execve.a0</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a1="(\.*)"</regex>
+  <order>audit.execve.a1</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a2="(\.*)"</regex>
+  <order>audit.execve.a2</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a3="(\.*)"</regex>
+  <order>audit.execve.a3</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a4="(\.*)"</regex>
+  <order>audit.execve.a4</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a5="(\.*)"</regex>
+  <order>audit.execve.a5</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a6="(\.*)"</regex>
+  <order>audit.execve.a6</order>
+</decoder>
+
+<decoder name="auditd-execve">
+  <parent>auditd-execve</parent>
+  <regex>a7="(\.*)"</regex>
+  <order>audit.execve.a7</order>
+</decoder>