I set out to parse an auditd log entry containing a SOCKADDR event. I am running into issues with additional data and trying to identify where its coming from and the structure of it.
The current data size I am seeing is 220 hex characters total including the family.
Based on the below structure ref: https://linux.die.net/man/7/unix
#define UNIX_PATH_MAX 108
struct sockaddr_un {
sa_family_t sun_family; /* AF_UNIX */
char sun_path[UNIX_PATH_MAX]; /* pathname */
};
I conducted parsing of the log entry as below.
Audit.log -> SOCKADDR entry -> saddr field start of parsing:
1. Read 4 bytes = 0100 = AF_LOCAL
2. Read remainder of field into variable
After parsing out the sun_family, I have more than the structured 108 bytes remaining in the data.
Can anyone point me in the right direction as to where this data is coming from and what the structure is supposed to be?
Thank you for your help.
