Missing msgtype and events? #14
Comments
|
I believe you may be excluding the End Of Event (EOE) Records. If you use the Florian Roth auditd template it is excluded by default. It is this line in your /etc/audit/rules.d/audit.conf file. Just comment out the above, restart the services and you should be good to go |
|
@juju4 Does this help? |
While it is true that end-of-event messages are technically not needed for the regular audit log, auditd will filter them out anyway (cf. https://github.com/linux-audit/audit-userspace/blob/0f79b322856ad6f40aa7d0291c2ebc4947543057/src/auditd.c#L276). However, auditd does forward EOE messages to audit dispatcher plugins such as Laurel which may rely on those mesages being there. (<threathunters-io/laurel#14>.)
|
Sorry, I believed I had updated. Yes, it fixed the issue. Still got very different count, so not sure if something else or just the result of laurel merging logs |
|
I think that the [
"CWD",
"EXECVE",
"ID",
"PATH",
"PROCTITLE",
"SYSCALL"
]… and apparently the ordering is not retained. CWD, PROCTITLE, SYSCALL should give you the same counts. PATH should be off by a factor 2-3 because an EXECVE event usually goes together with multiple PATH lines which are grouped into one entry in the JSON log. The EXECVE count may be off if there are long command lines that are split across multiple EXECVE lines. (Merging those was one of the main motivations for writing Laurel in the first place.) |
|
If comparing this way, got below which has still some big difference in count (not sure why the change in cut field number) |
|
alright. I'll be doing some remodelling to be able to implement event filtering fieatures, this will allow for some more diagnostics and statistics. In the meantime, here's a stupid idea: Are you sure that you collected all the logs for laurel? In the default configuration, log file segments are rotated at 1 MB which translates to something between 1700 and 1800 messages on my boxes. |
|
I had increased it to 10MB because I wanted logrotation to be done by logrotate every day and it seems 0 is not the right way the way to disable this option from laurel. yeah, some extra filtering options would be nice, auditd exclusions are not really the most granular/precise... Thanks |
|
I added report with both audispd and laurel output in my ansible role pipeline also for file integrity monitoring, audispd have nametype with CREATED, DELETED... but laurel output is always NORMAL |
Not sure what you mean by that, can you provide an example? |
|
|
Laurel does not do anything specific with the PATH entries that may contain different it should give you 4 PATH entries, like so: {
"ID": "1633859647.072:120613",
"SYSCALL": {
"arch": "0xc000003e",
"syscall": 316,
"success": "yes",
"exit": 0,
"items": 4,
"ppid": 3219422,
"pid": 3219423,
"auid": 1000,
"uid": 0,
"gid": 0,
"euid": 0,
"suid": 0,
"fsuid": 0,
"egid": 0,
"sgid": 0,
"fsgid": 0,
"tty": "pts9",
"ses": 3,
"comm": "mv",
"exe": "/bin/mv",
"subj": "=unconfined",
"key": "sudo",
"ARCH": "x86_64",
"SYSCALL": "renameat2",
"AUID": "bengen",
"UID": "root",
"GID": "root",
"EUID": "root",
"SUID": "root",
"FSUID": "root",
"EGID": "root",
"SGID": "root",
"FSGID": "root",
"ARGV": [
"0xffffff9c",
"0x7fff70af382e",
"0xffffff9c",
"0x7fff70af3851"
]
},
"CWD": {
"cwd": "/home/bengen/src/spyre"
},
"PATH": [
{
"item": 0,
"name": "/etc/sudoers.d/",
"inode": 38798702,
"dev": "fd:00",
"mode": "0o40755",
"ouid": 0,
"ogid": 0,
"rdev": "00:00",
"nametype": "PARENT",
"cap_fp": "0x0",
"cap_fi": "0x0",
"cap_fe": 0,
"cap_fver": "0x0",
"cap_frootid": "0",
"OUID": "root",
"OGID": "root"
},
{
"item": 1,
"name": "/etc/sudoers.d/",
"inode": 38798702,
"dev": "fd:00",
"mode": "0o40755",
"ouid": 0,
"ogid": 0,
"rdev": "00:00",
"nametype": "PARENT",
"cap_fp": "0x0",
"cap_fi": "0x0",
"cap_fe": 0,
"cap_fver": "0x0",
"cap_frootid": "0",
"OUID": "root",
"OGID": "root"
},
{
"item": 2,
"name": "/etc/sudoers.d/x2goserver.disabled",
"inode": 38819726,
"dev": "fd:00",
"mode": "0o100440",
"ouid": 0,
"ogid": 0,
"rdev": "00:00",
"nametype": "DELETE",
"cap_fp": "0x0",
"cap_fi": "0x0",
"cap_fe": 0,
"cap_fver": "0x0",
"cap_frootid": "0",
"OUID": "root",
"OGID": "root"
},
{
"item": 3,
"name": "/etc/sudoers.d/x2goserver",
"inode": 38819726,
"dev": "fd:00",
"mode": "0o100440",
"ouid": 0,
"ogid": 0,
"rdev": "00:00",
"nametype": "CREATE",
"cap_fp": "0x0",
"cap_fi": "0x0",
"cap_fe": 0,
"cap_fver": "0x0",
"cap_frootid": "0",
"OUID": "root",
"OGID": "root"
}
],
"PROCTITLE": {
"ARGV": [
"mv",
"/etc/sudoers.d/x2goserver.disabled",
"/etc/sudoers.d/x2goserver"
]
}
} |
|
@juju4 Do you still see problems with missing messages? |
|
@juju4 ping? |
|
Sorry for delay, busy times. On github action side, I lost laurel report between build of Nov 29th and Dec 4th. just repaired it On my test server, for some reasons, laurel logs are empty since some time while /var/log/audit/audit.log is fine. trying to review during holidays I see many commits since last 1.0.5 release on Nov 1st. any plan for a new one? Thanks |
Yeah, I somehow got sidetracked dealing with surprise features in Java software. ;-) |
|
no problem. same for many people :) |
|
I am closing this issue because we have not made an progress in almost two years. Feel free to reopen if you still see problems with a more current version. |
with laurel 0.1.1 on Ubuntu 18.04 and base laurel configuration
while
SYSCALL is the ones where I would expect process activity
Even if merging some of the different msgtype, same data should be found
The text was updated successfully, but these errors were encountered: