auditd execve arguments that looks like encoded data

Solution 1:

A bit late to the party, but in case it still helps you or others searching...

Linux audit logs aren't really meant to be looked at directly in the raw log file--they're meant to be viewed and analyzed using tools like "ausearch" and "aureport". Many things (including even time/date stamps) are stored in hex format, but you can tell ausearch to interpret the hex stuff, as well as translating UIDs/GIDs to names, using the "-i" option. By default, ausearch uses the file "/var/log/audit/audit.log", but you can also view a specific file with the "-if filename" option. As an example, I cut-and-pasted your specific lines to a temp file, and got the following results:

$ ausearch -if temp_audit.log -i
----
type=EXECVE msg=audit(03/03/2015 18:56:05.480:57967) : argc=3 a0=bash a1=-c a2=ls /etc/init.d | grep -E '[0-9a-z]{10}' | awk '{print $1}' | xargs killall
----
type=EXECVE msg=audit(03/04/2015 18:06:02.928:72792) : argc=3 a0=bash a1=-c a2=killall 777 httpd
----
type=EXECVE msg=audit(03/04/2015 18:06:06.832:72800) : argc=3 a0=bash a1=-c a2=rm -f /tmp/httpd*
----
type=EXECVE msg=audit(03/04/2015 18:06:06.832:72801) : argc=3 a0=rm a1=-f a2=/tmp/httpd*

Solution 2:

With auditd it encodes long arguments in HEX and can be decoded a number of ways, one of which is with xxd.

echo 6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C | xxd -r -p                
ls /etc/init.d | grep -E '[0-9a-z]{10}' | awk '{print $1}' | xargs killall