I'm logging all execve's in a sort of honey pot box and as such I try to make sense of the commands. There's many many of these, all with 'bash -c' and some long alpha numerical value not enclosed in double quotes. How can I understand what I'm really looking at?
type=EXECVE msg=audit(1425426965.480:57967): argc=3 a0="bash" a1="-c" a2=6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C
type=EXECVE msg=audit(1425510362.928:72792): argc=3 a0="bash" a1="-c" a2=6B696C6C616C6C20373737206874747064
type=EXECVE msg=audit(1425510366.832:72800): argc=3 a0="bash" a1="-c" a2=726D202D66202F746D702F68747470642A
type=EXECVE msg=audit(1425510366.832:72801): argc=3 a0="rm" a1="-f" a2="/tmp/httpd*"
The last part with httpd gives some indication but I would really like to understand exactly what's going in.
A bit late to the party, but in case it still helps you or others searching...
Linux audit logs aren't really meant to be looked at directly in the raw log file--they're meant to be viewed and analyzed using tools like "ausearch" and "aureport". Many things (including even time/date stamps) are stored in hex format, but you can tell ausearch to interpret the hex stuff, as well as translating UIDs/GIDs to names, using the "-i" option. By default, ausearch uses the file "/var/log/audit/audit.log", but you can also view a specific file with the "-if filename" option. As an example, I cut-and-pasted your specific lines to a temp file, and got the following results:
With
auditdit encodes long arguments in HEX and can be decoded a number of ways, one of which is withxxd.