Hello together,
I am writing to this mailing list as I have not found any working solution online.
We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded
from HEX,
Here are the auditd settings:
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
priority_boost = 4
flush = incremental
freq = 6000
num_logs = 10
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 30
max_log_file_action = ROTATE
space_left = 150
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 100
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
Installed audit Version:
2.6.5-3.el7_3.1
Here the problem parts of the Audit log (parameter a2):
node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3
a0="/bin/sh" a1="-c"
a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31
not decoded parameter (a14) in the middle:
node= hostname.domain.tld type=EXECVE msg=audit(1500536092.303:232170300): argc=16
a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H"
a3="10.100.0.0" a4="-p" a5="5666" a6="-c"
a7="CheckFiles" a8="-t" a9="20" a10="-a"
a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0"
a13="pattern=*33_0550_L_*.CK8"
a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062
a15="MaxCrit=1"
We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried
to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000
to give the auditd more time for decoding. None of the mentioned helped.
What I don’t understand is that sometimes it’s the last parameters which is not decoded,
and sometimes it one in the middle. See example above
Any kind of advice is welcome
With kind regards
Peter
This email and its content belong to Ingenico Group. The enclosed information is
confidential and may not be disclosed to any unauthorized person. If you have received it
by mistake do not forward it and delete it from your system. Cet email et son contenu sont
la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne
peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le
transférez pas et supprimez-le.