Use case not covered by the audit library?
Maupertuis Philippe
philippe.maupertuis at worldline.com
Mon Dec 21 11:04:49 UTC 2015
I am new to the subject of user audit record.
I have some newbie questions.
Is it possible to generate these records in any language , python or java for example ?
Where can I find example or newbie documentation ?
Regards
Philippe
-----Message d'origine-----
De : linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] De la part de linux-audit-request at redhat.com
Envoyé : vendredi 18 décembre 2015 18:00
À : linux-audit at redhat.com
Objet : Linux-audit Digest, Vol 135, Issue 9
Send Linux-audit mailing list submissions to
linux-audit at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request at redhat.com
You can reach the person managing the list at
linux-audit-owner at redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Re: Use case not covered by the audit library? (Steve Grubb)
2. Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check (Burn Alting)
3. Re: New draft standards (Burn Alting)
4. Re: Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check (Steve Grubb)
----------------------------------------------------------------------
Message: 1
Date: Thu, 17 Dec 2015 21:51:15 -0500
From: Steve Grubb <sgrubb at redhat.com>
To: "Gulland, Scott A" <scott.gulland at hpe.com>
Cc: Richard Guy Briggs <rgb at redhat.com>, "linux-audit at redhat.com"
<linux-audit at redhat.com>
Subject: Re: Use case not covered by the audit library?
Message-ID: <1484204.GzGFVCTWQh at x2>
Content-Type: text/plain; charset="us-ascii"
On Thursday, December 17, 2015 01:10:03 AM Richard Guy Briggs wrote:
> > No, this is an HTTP server that handles standard HTTP requests like
> > GET, POST, PUT, and DELETE. The URI specifies what resource is
> > being acted upon. These requests could come from something as
> > simple as curl, or a full blown management application, or a web GUI
> > (which is interactive in the browser). For example, you could issue
> > a POST request to URI /openswitch/v1/users to create a new user.
> > The body of the request would contain JSON or XML data indicating the user and password. There are
> > pre-determined actions/resources that can be changed. In standard REST
> > APIs, all of the URIs, their parameters and the scheme of the body
> > are documented and only these requests can be issued.>
> >
> >
> > It's based on client/server and the client may or may not be interactive
> > (e.g. a web browser). In these types of servers, we'd almost
> > exclusively be using the audit_log_user_message() API with an event type
> > of AUDIT_USYS_CONFIG. We're only logging configuration changes to the
> > switch. I think I don't understand how the "message" parameter is used
> > in this call. The man page implies a simple text message, but
> > looking at the audit.log file it appears to consist of a set of key-value
> > pairs. Is my understanding correct?>
> >
> >
> > My problem is I don't know what the proper set of "keys" are and the
> > values they should contain. If my assumptions are correct, is there
> > any documentation on on the key-value pairs and how to format the
> > contents of the message parameter? Based on what I've seen in the
> > audit log file, I would add "acct=<user>" to the contents of the
> > message to reflect the particular authenticated user who issued the REST API call.
> Well, Steve has published these as a starting point. I'm sure he'll
> chime in when he sees your message.
>
> http://people.redhat.com/sgrubb/audit/audit-events.txt
> http://people.redhat.com/sgrubb/audit/audit-parse.txt
Thanks for pointing these out, Richard.
The basic guidance for AUDIT_USYS_CONFIG is to record old and new values.
Typically old values are prefixed with 'old-' and new values are the name of the field with no prefix.
Any field that the user could influence the value has to be handled in such a way as to not allow them to trick the parser if they are malicious. For the most part, we hex encode those fields and then write some code to label the fields as encoded so that interpretation can be done later.
Since your field names may not be official names in the audit system, you may have to filter illegal characters the user sent during event construction and fill in spaces with an underscore or dash.
-Steve
------------------------------
Message: 2
Date: Fri, 18 Dec 2015 14:20:44 +1100
From: Burn Alting <burn at swtf.dyndns.org>
To: "linux-audit at redhat.com" <linux-audit at redhat.com>
Subject: Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check
Message-ID: <1450408844.14944.4.camel at swtf.swtf.dyndns.org>
Content-Type: text/plain; charset="utf-8"
Steve,
When ausearch is given the --debug option, malformed events are written to stderr. The PROCTITLE type record is considered to be malformed. This patch corrects for this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.4.4_debug_fix.patch
Type: text/x-patch
Size: 455 bytes
Desc: not available
URL: <https://www.redhat.com/archives/linux-audit/attachments/20151218/0a543af4/attachment.bin>
------------------------------
Message: 3
Date: Fri, 18 Dec 2015 16:12:08 +1100
From: Burn Alting <burn at swtf.dyndns.org>
To: Steve Grubb <sgrubb at redhat.com>
Cc: linux-audit at redhat.com
Subject: Re: New draft standards
Message-ID: <1450415528.14944.28.camel at swtf.swtf.dyndns.org>
Content-Type: text/plain; charset="utf-8"
On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > I use a proprietary ELK-like system based on ausearch's -i option. I
> > would like to see some variant outputs from ausearch that "packages"
> > events into parse-friendly formats (json, xml) that also
> > incorporates the local transformations Steve proposes. I believe
> > this would be the most generic solution to support centralised log management.
> >
> > I am travelling now, but can write up a specification for review next week.
>
> Yes, please do send something to the mail list for people to look at
> and comment on.
>
All,
To reiterate, my need is to generate easy to parse events over which local interpretation has been applied, retaining raw input to the some of the interpretations if required. I want to then transmit the complete interpreted event to my central event repository.
My proposal is that ausearch gains the following 'interpreted output'
options
--Xo plain|json|xml
generate plain (cf --interpret), xml or json formatted events
--Xr key_a'+'key_b'+'key_c
include raw value for given keys using the the new key
__r_key_a, __r_key_b, etc. The special key __all__ is
interpreted to retain the complete raw record. If the raw value
has no interpreted value, then we will end up with two keys with
the same value.
I have attached the XSD from which the XML and JSON formats could be defined.
The following provides some examples.
For the raw event (on a system recording execve's and with name_format = fqd configured)
node=fedora23.a1959.org type=SYSCALL msg=audit(1450409042.880:61882):
arch=c000003e syscall=59 success=yes exit=0 a0=561c5e714d60
a1=561c5e6dbb90 a2=561c5e630920 a3=561c5e6dbb80 items=2 ppid=27269
pid=29282 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=8 comm="ausearch" exe="/usr/sbin/ausearch"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="cmds"
node=fedora23.a1959.org type=EXECVE msg=audit(1450409042.880:61882):
argc=4 a0="ausearch" a1="-i" a2="-if" a3="/var/log/audit/audit.log"
node=fedora23.a1959.org type=CWD msg=audit(1450409042.880:61882):
cwd="/home/burn/audit-2.4.4_debug_fix"
node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882):
item=0 name="/sbin/ausearch" inode=134573468 dev=fd:00 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882):
item=1 name="/lib64/ld-linux-x86-64.so.2" inode=134397639 dev=fd:00
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL node=fedora23.a1959.org type=PROCTITLE msg=audit(1450409042.880:61882):
proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67
Running ausearch with the proposed changes becomes, for --Xo plain
node=fedora23.a1959.org type=PROCTITLE msg=audit(12/18/2015
14:24:02.880:61882) : proctitle=ausearch -i -if /var/log/audit/audit.log node=fedora23.a1959.org type=PATH msg=audit(12/18/2015
14:24:02.880:61882) : item=1 name=/lib64/ld-linux-x86-64.so.2
inode=134397639 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL node=fedora23.a1959.org type=PATH msg=audit(12/18/2015
14:24:02.880:61882) : item=0 name=/sbin/ausearch inode=134573468
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:bin_t:s0 nametype=NORMAL node=fedora23.a1959.org type=CWD msg=audit(12/18/2015
14:24:02.880:61882) : cwd=/home/burn/audit-2.4.4_debug_fix
node=fedora23.a1959.org type=EXECVE msg=audit(12/18/2015
14:24:02.880:61882) : argc=4 a0=ausearch a1=-i a2=-if a3=/var/log/audit/audit.log node=fedora23.a1959.org type=SYSCALL msg=audit(12/18/2015
14:24:02.880:61882) : arch=x86_64 syscall=execve success=yes exit=0
a0=0x561c5e714d60 a1=0x561c5e6dbb90 a2=0x561c5e630920 a3=0x561c5e6dbb80
items=2 ppid=27269 pid=29282 auid=burn uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ausearch exe=/usr/sbin/ausearch
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=cmds
and, for --Xo xml
<event>
<node>fedora23.a1959.org</node>
<time>2015-12-18T14:24:02.880+11:00</time>
<serial>1450409042.880:61882</serial>
<records>
<record>
<type>PROCTITLE</type>
<data name="proctitle" value="ausearch -i -if /var/log/audit/audit.log" />
</record>
<record>
<type>PATH</type>
<data name="item" value="1" />
<data name="name" value="/lib64/ld-linux-x86-64.so.2" />
<data name="inode" value="134397639" />
<data name="dev" value="fd:00" />
...
<data name="nametype" value="NORMAL" />
</record>
...
<record>
<type>SYSCALL</type>
<data name="arch" value="x86_64" />
<data name="syscall" value="execve" />
..
<data name="subj"
value="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" />
<data name="key" value="cmds" />
</record>
</records>
</event>
and, for --Xo json
{
"event": {
"node": "fedora23.a1959.org",
"time": "2015-12-18T14:24:02.880+11:00",
"serial": "1450409042.880:61882",
"records": {
"record": [
{
"type": "PROCTITLE",
"data": {
"_name": "proctitle",
"_value": "ausearch -i -if /var/log/audit/audit.log"
}
},
{
"type": "PATH",
"data": [
{
"_name": "item",
"_value": "1"
},
{
"_name": "name",
"_value": "/lib64/ld-linux-x86-64.so.2"
},
{
"_name": "inode",
"_value": "134397639"
},
{
"_name": "dev",
"_value": "fd:00"
},
...
{
"_name": "nametype",
"_value": "NORMAL"
}
]
},
...
{
"type": "SYSCALL",
"data": [
{
"_name": "arch",
"_value": "x86_64"
},
{
"_name": "syscall",
"_value": "execve"
},
...
{
"_name": "subj",
"_value":
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
},
{
"_name": "key",
"_value": "cmds"
}
]
}
]
}
}
}
Specifying --Xr __all__ does nothing for plain, but for xml adds a raw element within each record, as per
...
<records>
<record>
<type>PROCTITLE</type>
<raw>node=fedora23.a1959.org type=PROCTITLE
msg=audit(1450409042.880:61882):
proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67</raw>
...
</record>
<record>
<type>PATH</type>
<raw>node=fedora23.a1959.org type=PATH
msg=audit(1450409042.880:61882): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=134397639 dev=fd:00
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL</raw>
...
and for json adds a raw key within each record, as per
"record": [
{
"type": "PROCTITLE",
"raw": "node=fedora23.a1959.org type=PROCTITLE
msg=audit(1450409042.880:61882):
proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67",
"data": {
"_name": "proctitle",
"_value": "ausearch -i -if /var/log/audit/audit.log"
}
},
{
"type": "PATH",
"raw": "node=fedora23.a1959.org type=PATH
msg=audit(1450409042.880:61882): item=1 name= \"/lib64/ld-linux-x86-64.so.2\" inode=134397639 dev=fd:00 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL",
"data": [
{
...
And if you want arbitrary raw key values as well as their interpreted value, then provide a '+' separated list of keys. For example,
--Xr auid|syscall|a2
applied to the following raw record
node=fedora23.a1959.org type=SYSCALL msg=audit(1450410618.410:62231):
arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c
a1=562de17c80f0 a2=1e8 a3=fffff3ff items=1 ppid=27269 pid=29705
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=8 comm="chmod" exe="/usr/bin/chmod"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="perm_mod"
for --Xo plain, we get
node=fedora23.a1959.org type=SYSCALL msg=audit(12/18/2015
14:50:18.410:62231) : arch=x86_64 syscall=fchmodat success=yes exit=0 a0=0xffffffffffffff9c a1=0x562de17c80f0 a2=0750 a3=0xfffff3ff items=1
ppid=27269 pid=29705 auid=burn uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=chmod exe=/usr/bin/chmod
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=perm_mod
__r_syscall=268 __r_auid=1000 __r_a2=1e8
for --Xo xml
...
<data name="syscall" value="fchmodat" />
...
<data name="key" value="perm_mod" />
<data name="__r_syscall" value="268" />
<data name="__r_auid" value="1000" />
<data name="__r_a2" value="1e8" />
for --Xo json
...
{
"_name": "syscall",
"_value": "fchmodat"
},
...
},
{
"_name": "key",
"_value": "perm_mod"
},
{
"_name": "__r_syscall",
"_value": "268"
},
{
"_name": "__r_auid",
"_value": "1000"
},
{
"_name": "__r_a2",
"_value": "1e8"
}
]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ausearch.xsd
Type: application/xml
Size: 5875 bytes
Desc: not available
URL: <https://www.redhat.com/archives/linux-audit/attachments/20151218/f13548d6/attachment.rdf>
------------------------------
Message: 4
Date: Fri, 18 Dec 2015 09:00:41 -0500
From: Steve Grubb <sgrubb at redhat.com>
To: linux-audit at redhat.com, burn at swtf.dyndns.org
Subject: Re: Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check
Message-ID: <2718949.1R5FipW8Ma at x2>
Content-Type: text/plain; charset="us-ascii"
On Friday, December 18, 2015 02:20:44 PM Burn Alting wrote:
> Steve,
>
> When ausearch is given the --debug option, malformed events are
> written to stderr. The PROCTITLE type record is considered to be
> malformed. This patch corrects for this.
Thanks! Applied.
-Steve
------------------------------
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 135, Issue 9
*******************************************
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
More information about the Linux-audit
mailing list