in aucoalesce/coalesce.go [396:435]
func addExecveRecord(execve *auparse.AuditMessage, event *Event) {
data, err := execve.Data()
if err != nil {
event.Warnings = append(event.Warnings, fmt.Errorf(
"failed to parse EXECVE message: %w", err))
return
}
argc, found := data["argc"]
if !found {
event.Warnings = append(event.Warnings,
errors.New("argc key not found in EXECVE message"))
return
}
event.Data["argc"] = argc
count, err := strconv.ParseUint(argc, 10, 32)
if err != nil {
event.Warnings = append(event.Warnings, fmt.Errorf(
"failed to convert argc='%v' to number: %w", argc, err))
return
}
var args []string
for i := 0; i < int(count); i++ {
key := "a" + strconv.Itoa(i)
arg, found := data[key]
if !found {
event.Warnings = append(event.Warnings, fmt.Errorf(
"failed to find arg %v", key))
return
}
delete(data, key)
args = append(args, arg)
}
event.Process.Args = args
}