New draft standards
Burn Alting
burn at swtf.dyndns.org
Fri Dec 18 05:12:08 UTC 2015
On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > I use a proprietary ELK-like system based on ausearch's -i option. I would
> > like to see some variant outputs from ausearch that "packages" events into
> > parse-friendly formats (json, xml) that also incorporates the local
> > transformations Steve proposes. I believe this would be the most generic
> > solution to support centralised log management.
> >
> > I am travelling now, but can write up a specification for review next week.
>
> Yes, please do send something to the mail list for people to look at and
> comment on.
>
All,
To reiterate, my need is to generate easy to parse events over which
local interpretation has been applied, retaining raw input to the some
of the interpretations if required. I want to then transmit the complete
interpreted event to my central event repository.
My proposal is that ausearch gains the following 'interpreted output'
options
--Xo plain|json|xml
generate plain (cf --interpret), xml or json formatted events
--Xr key_a'+'key_b'+'key_c
include raw value for given keys using the the new key
__r_key_a, __r_key_b, etc. The special key __all__ is
interpreted to retain the complete raw record. If the raw value
has no interpreted value, then we will end up with two keys with
the same value.
I have attached the XSD from which the XML and JSON formats could be
defined.
The following provides some examples.
For the raw event (on a system recording execve's and with name_format =
fqd configured)
node=fedora23.a1959.org type=SYSCALL msg=audit(1450409042.880:61882):
arch=c000003e syscall=59 success=yes exit=0 a0=561c5e714d60
a1=561c5e6dbb90 a2=561c5e630920 a3=561c5e6dbb80 items=2 ppid=27269
pid=29282 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=8 comm="ausearch" exe="/usr/sbin/ausearch"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="cmds"
node=fedora23.a1959.org type=EXECVE msg=audit(1450409042.880:61882):
argc=4 a0="ausearch" a1="-i" a2="-if" a3="/var/log/audit/audit.log"
node=fedora23.a1959.org type=CWD msg=audit(1450409042.880:61882):
cwd="/home/burn/audit-2.4.4_debug_fix"
node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882):
item=0 name="/sbin/ausearch" inode=134573468 dev=fd:00 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882):
item=1 name="/lib64/ld-linux-x86-64.so.2" inode=134397639 dev=fd:00
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
node=fedora23.a1959.org type=PROCTITLE msg=audit(1450409042.880:61882):
proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67
Running ausearch with the proposed changes becomes, for --Xo plain
node=fedora23.a1959.org type=PROCTITLE msg=audit(12/18/2015
14:24:02.880:61882) : proctitle=ausearch -i
-if /var/log/audit/audit.log
node=fedora23.a1959.org type=PATH msg=audit(12/18/2015
14:24:02.880:61882) : item=1 name=/lib64/ld-linux-x86-64.so.2
inode=134397639 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=fedora23.a1959.org type=PATH msg=audit(12/18/2015
14:24:02.880:61882) : item=0 name=/sbin/ausearch inode=134573468
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=fedora23.a1959.org type=CWD msg=audit(12/18/2015
14:24:02.880:61882) : cwd=/home/burn/audit-2.4.4_debug_fix
node=fedora23.a1959.org type=EXECVE msg=audit(12/18/2015
14:24:02.880:61882) : argc=4 a0=ausearch a1=-i a2=-if
a3=/var/log/audit/audit.log
node=fedora23.a1959.org type=SYSCALL msg=audit(12/18/2015
14:24:02.880:61882) : arch=x86_64 syscall=execve success=yes exit=0
a0=0x561c5e714d60 a1=0x561c5e6dbb90 a2=0x561c5e630920 a3=0x561c5e6dbb80
items=2 ppid=27269 pid=29282 auid=burn uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8
comm=ausearch exe=/usr/sbin/ausearch
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=cmds
and, for --Xo xml
<event>
<node>fedora23.a1959.org</node>
<time>2015-12-18T14:24:02.880+11:00</time>
<serial>1450409042.880:61882</serial>
<records>
<record>
<type>PROCTITLE</type>
<data name="proctitle" value="ausearch -i
-if /var/log/audit/audit.log" />
</record>
<record>
<type>PATH</type>
<data name="item" value="1" />
<data name="name" value="/lib64/ld-linux-x86-64.so.2" />
<data name="inode" value="134397639" />
<data name="dev" value="fd:00" />
...
<data name="nametype" value="NORMAL" />
</record>
...
<record>
<type>SYSCALL</type>
<data name="arch" value="x86_64" />
<data name="syscall" value="execve" />
..
<data name="subj"
value="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" />
<data name="key" value="cmds" />
</record>
</records>
</event>
and, for --Xo json
{
"event": {
"node": "fedora23.a1959.org",
"time": "2015-12-18T14:24:02.880+11:00",
"serial": "1450409042.880:61882",
"records": {
"record": [
{
"type": "PROCTITLE",
"data": {
"_name": "proctitle",
"_value": "ausearch -i -if /var/log/audit/audit.log"
}
},
{
"type": "PATH",
"data": [
{
"_name": "item",
"_value": "1"
},
{
"_name": "name",
"_value": "/lib64/ld-linux-x86-64.so.2"
},
{
"_name": "inode",
"_value": "134397639"
},
{
"_name": "dev",
"_value": "fd:00"
},
...
{
"_name": "nametype",
"_value": "NORMAL"
}
]
},
...
{
"type": "SYSCALL",
"data": [
{
"_name": "arch",
"_value": "x86_64"
},
{
"_name": "syscall",
"_value": "execve"
},
...
{
"_name": "subj",
"_value":
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
},
{
"_name": "key",
"_value": "cmds"
}
]
}
]
}
}
}
Specifying --Xr __all__ does nothing for plain, but for xml adds a raw
element within each record, as per
...
<records>
<record>
<type>PROCTITLE</type>
<raw>node=fedora23.a1959.org type=PROCTITLE
msg=audit(1450409042.880:61882):
proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67</raw>
...
</record>
<record>
<type>PATH</type>
<raw>node=fedora23.a1959.org type=PATH
msg=audit(1450409042.880:61882): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=134397639 dev=fd:00
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL</raw>
...
and for json adds a raw key within each record, as per
"record": [
{
"type": "PROCTITLE",
"raw": "node=fedora23.a1959.org type=PROCTITLE
msg=audit(1450409042.880:61882):
proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67",
"data": {
"_name": "proctitle",
"_value": "ausearch -i -if /var/log/audit/audit.log"
}
},
{
"type": "PATH",
"raw": "node=fedora23.a1959.org type=PATH
msg=audit(1450409042.880:61882): item=1 name=
\"/lib64/ld-linux-x86-64.so.2\" inode=134397639 dev=fd:00 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL",
"data": [
{
...
And if you want arbitrary raw key values as well as their interpreted
value, then provide a '+' separated list of keys. For example,
--Xr auid|syscall|a2
applied to the following raw record
node=fedora23.a1959.org type=SYSCALL msg=audit(1450410618.410:62231):
arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c
a1=562de17c80f0 a2=1e8 a3=fffff3ff items=1 ppid=27269 pid=29705
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=8 comm="chmod" exe="/usr/bin/chmod"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="perm_mod"
for --Xo plain, we get
node=fedora23.a1959.org type=SYSCALL msg=audit(12/18/2015
14:50:18.410:62231) : arch=x86_64 syscall=fchmodat success=yes exit=0
a0=0xffffffffffffff9c a1=0x562de17c80f0 a2=0750 a3=0xfffff3ff items=1
ppid=27269 pid=29705 auid=burn uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=chmod
exe=/usr/bin/chmod
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=perm_mod
__r_syscall=268 __r_auid=1000 __r_a2=1e8
for --Xo xml
...
<data name="syscall" value="fchmodat" />
...
<data name="key" value="perm_mod" />
<data name="__r_syscall" value="268" />
<data name="__r_auid" value="1000" />
<data name="__r_a2" value="1e8" />
for --Xo json
...
{
"_name": "syscall",
"_value": "fchmodat"
},
...
},
{
"_name": "key",
"_value": "perm_mod"
},
{
"_name": "__r_syscall",
"_value": "268"
},
{
"_name": "__r_auid",
"_value": "1000"
},
{
"_name": "__r_a2",
"_value": "1e8"
}
]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ausearch.xsd
Type: application/xml
Size: 5875 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20151218/f13548d6/attachment.wsdl>
More information about the Linux-audit
mailing list