3:06 a.m.
Hello together,
I am writing to this mailing list as I have not found any working solution online.
We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded
from HEX,
Here are the auditd settings:
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
priority_boost = 4
flush = incremental
freq = 6000
num_logs = 10
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 30
max_log_file_action = ROTATE
space_left = 150
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 100
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
Installed audit Version:
2.6.5-3.el7_3.1
Here the problem parts of the Audit log (parameter a2):
node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3
a0="/bin/sh" a1="-c"
a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31
not decoded parameter (a14) in the middle:
node= hostname.domain.tld type=EXECVE msg=audit(1500536092.303:232170300): argc=16
a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H"
a3="10.100.0.0" a4="-p" a5="5666" a6="-c"
a7="CheckFiles" a8="-t" a9="20" a10="-a"
a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0"
a13="pattern=*33_0550_L_*.CK8"
a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062
a15="MaxCrit=1"
We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried
to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000
to give the auditd more time for decoding. None of the mentioned helped.
What I don’t understand is that sometimes it’s the last parameters which is not decoded,
and sometimes it one in the middle. See example above
Any kind of advice is welcome
With kind regards
Peter
This email and its content belong to Ingenico Group. The enclosed information is
confidential and may not be disclosed to any unauthorized person. If you have received it
by mistake do not forward it and delete it from your system. Cet email et son contenu sont
la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne
peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le
transférez pas et supprimez-le.
10:23 a.m.
On Thursday, July 20, 2017 4:06:48 AM EDT Peter KRIVANSKY wrote:
Hello together,
I am writing to this mailing list as I have not found any working solution
online.
We use the audit with ENRICHED log_format, but we see lots of
parameters not being decoded from HEX, Here are the auditd settings:
The decoding from hex is done by ausearch. Its always been like that. What the
enriched format does is capture the ephemeral system specific mappings such as
UID/GID at the moment the event occurs. This way the events can be correctly
displayed by ausearch no matter which computer you run ausearch on.
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
priority_boost = 4
flush = incremental
freq = 6000
num_logs = 10
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 30
max_log_file_action = ROTATE
space_left = 150
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 100
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
Installed audit Version:
2.6.5-3.el7_3.1
Here the problem parts of the Audit log (parameter a2):
node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298):
argc=3 a0="/bin/sh" a1="-c"
a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065
202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B
46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F70
6F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F30
3535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E
442073697A652067742031306222204D6178437269743D31
not decoded parameter (a14) in the middle:
node= hostname.domain.tld type=EXECVE msg=audit(1500536092.303:232170300):
argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2"
a2="-H"
a3="10.100.0.0" a4="-p" a5="5666" a6="-c"
a7="CheckFiles" a8="-t" a9="20"
a10="-a" a11="path=F:/clearing/mcft/poseidon/"
a12="max-dir-depth=0"
a13="pattern=*33_0550_L_*.CK8"
a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A65206774203
13062 a15="MaxCrit=1"
We need ENRICHED log_formad so we can analyze audit logs on a central Log
server. I tried to increase the „priority_boost“ parameter to 6, and
increased the „freq“ param. to 6000 to give the auditd more time for
decoding.
It doesn't need more time as this does not any kind of deadline scheduler. I
would however recommend using incremental_async for the flush method as its
about 90x faster than the normal incremental method. But this won't affect the
hex encoding. To see your event in full, you need to run the event through
ausearch.
None of the mentioned helped. What I don’t understand is that
sometimes it’s the last parameters which is not decoded, and sometimes it
one in the middle.
The hex encoding is done whenever there is a field being captured that could
be controlled by the user. This is to prevent someone naming a file that would
confuse a naive parser and make it misparse the event.
See example above
Any kind of advice is welcome
With kind regards
Hope this helps...
-Steve
2711
days inactive
2711
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
participants (2)
-
Peter KRIVANSKY -
Steve Grubb