Hello together,

 

I am writing to this mailing list as I have not found any working solution online.

We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded from HEX,

Here are the auditd settings:

log_file = /var/log/audit/audit.log

log_format = ENRICHED

log_group = root

priority_boost = 4

flush = incremental

freq = 6000

num_logs = 10

disp_qos = lossy

dispatcher = /sbin/audispd

name_format = hostname

max_log_file = 30

max_log_file_action = ROTATE

space_left = 150

space_left_action = SYSLOG

action_mail_acct = root

admin_space_left = 100

admin_space_left_action = SUSPEND

disk_full_action = SUSPEND

disk_error_action = SUSPEND

tcp_listen_queue = 5

tcp_max_per_addr = 1

tcp_client_max_idle = 0

enable_krb5 = no

krb5_principal = auditd

 

Installed audit Version:

2.6.5-3.el7_3.1

 

Here the problem parts of the Audit log (parameter a2):

 

node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3 a0="/bin/sh" a1="-c" a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31

 

not decoded parameter (a14) in the middle:

node= hostname.domain.tld  type=EXECVE msg=audit(1500536092.303:232170300): argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H" a3="10.100.0.0" a4="-p" a5="5666" a6="-c" a7="CheckFiles" a8="-t" a9="20" a10="-a" a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0" a13="pattern=*33_0550_L_*.CK8" a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062 a15="MaxCrit=1"

 

 

We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000 to give the auditd more time for decoding. None of the mentioned helped.

What I don’t understand is that sometimes it’s the last parameters which is not decoded, and sometimes it one in the middle. See example above

 

Any kind of advice is welcome

With kind regards

Peter

This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.