Linux Auditd app for Splunk
Douglas Brown
doug.brown at qut.edu.au
Fri Apr 1 08:09:07 UTC 2016
> On 1 Apr 2016, at 5:37 PM, Maupertuis Philippe <philippe.maupertuis at worldline.com> wrote:
>
> The splunk app seems very promising.
> Is there a way to use it when audit records are sent to a central syslog server before feeding Splunk.
> For now, the auditd record are prefixed by syslog information when received by Splunk.
Yep, make a 'local' directory in the TA app; copy the TA's default props.conf to the local directory; uncomment the block at the top of the file, then install the TA on the heavy forwarders/indexers that cook your syslogged audit events.
Cheers,
Doug
> -----Message d'origine-----
> De : linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] De la part de linux-audit-request at redhat.com
> Envoyé : jeudi 31 mars 2016 18:00
> À : linux-audit at redhat.com
> Objet : Linux-audit Digest, Vol 138, Issue 9
>
> Send Linux-audit mailing list submissions to
> linux-audit at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/linux-audit
> or, via email, send a message with subject or body 'help' to
> linux-audit-request at redhat.com
>
> You can reach the person managing the list at
> linux-audit-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
>
>
> Today's Topics:
>
> 1. Linux Auditd app for Splunk (Douglas Brown)
> 2. Re: auditd reports port number '0' for connect() system call
> (Steve Grubb)
> 3. Re: Linux Auditd app for Splunk (Steve Grubb)
> 4. Re: Linux Auditd app for Splunk (F Rafi)
> 5. Re: Linux Auditd app for Splunk (Douglas Brown)
> 6. Re: auditd reports port number '0' for connect() system call
> (Kangkook Jee)
> 7. Re: auditd reports port number '0' for connect() system call
> (Kangkook Jee)
> 8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 30 Mar 2016 22:34:39 +0000
> From: Douglas Brown <doug.brown at qut.edu.au>
> To: "linux-audit at redhat.com" <linux-audit at redhat.com>
> Subject: Linux Auditd app for Splunk
> Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB at qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/
>
> Be sure to let me know if you have any suggestions for improvements.
>
> Cheers,
> Doug
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160330/5a7aca52/attachment.html>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 30 Mar 2016 19:29:58 -0400
> From: Steve Grubb <sgrubb at redhat.com>
> To: linux-audit at redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> Message-ID: <1876918.F3mpSQW0Wx at x2>
> Content-Type: text/plain; charset="us-ascii"
>
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port
>> field is set with '0'. Would anyone explain this to me or help me with
>> fix this problem?
>
> I get 779 as the port from your event.
>
> -Steve
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 30 Mar 2016 20:46:58 -0400
> From: Steve Grubb <sgrubb at redhat.com>
> To: linux-audit at redhat.com
> Subject: Re: Linux Auditd app for Splunk
> Message-ID: <97302213.LyDR1vQNKZ at x2>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello,
>
>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>> This week I released version 2 of the Linux Auditd app for Splunk:
>> https://splunkbase.splunk.com/app/2642/
>
>> Be sure to let me know if you have any suggestions for improvements.
>
> Thanks for posting this. Its good to see utilities like this supporting the audit daemon.
>
> If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.
>
> -Steve
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 31 Mar 2016 01:01:10 -0400
> From: F Rafi <farhanible at gmail.com>
> To: doug.brown at qut.edu.au
> Cc: "linux-audit at redhat.com" <linux-audit at redhat.com>
> Subject: Re: Linux Auditd app for Splunk
> Message-ID:
> <CABXp1cuoqfJJ=UyWPRnhb6qVPu9tnQNZKSvaFiSXwLGkfSBWLw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> "I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
> Love it.
>
> Some questions.
>
> *1. For the Severe Events panel: *Where is the severity coming from? The auditd logs don't show a severity rating.
>
> *2. AUID to username mapping: *How are you doing this? Via tty logs or fetching passwd file contents somehow?
>
> Thanks,
> Farhan
>
>> On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>
>> Hello,
>>
>>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>>> This week I released version 2 of the Linux Auditd app for Splunk:
>>> https://splunkbase.splunk.com/app/2642/
>>
>>> Be sure to let me know if you have any suggestions for improvements.
>>
>> Thanks for posting this. Its good to see utilities like this
>> supporting the audit daemon.
>>
>> If anyone else has plugins to logging frameworks, reports, helpful
>> scripts, etc...feel free to post a notice about them. We are sort of
>> working on a new home for the audit system at github and can probably
>> dedicate a page to related and helpful projects.
>>
>> -Steve
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/45646706/attachment.html>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 31 Mar 2016 05:18:22 +0000
> From: Douglas Brown <doug.brown at qut.edu.au>
> To: F Rafi <farhanible at gmail.com>
> Cc: "linux-audit at redhat.com" <linux-audit at redhat.com>
> Subject: Re: Linux Auditd app for Splunk
> Message-ID: <D3C762FA-9B17-4272-B20F-640DD2EF273C at qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Farhan,
>
> Good question. There?s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv
>
> Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)
>
> The app has three identities lookups it merges together: local, directory and learnt. The first two you?re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don?t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ?learnt? lookup based upon USER_START events.
>
> Cheers,
> Doug
>
> From: F Rafi <farhanible at gmail.com<mailto:farhanible at gmail.com>>
> Date: Thursday, 31 March 2016 at 3:01 PM
> To: Doksu <doug.brown at qut.edu.au<mailto:doug.brown at qut.edu.au>>
> Cc: "linux-audit at redhat.com<mailto:linux-audit at redhat.com>" <linux-audit at redhat.com<mailto:linux-audit at redhat.com>>, Steve Grubb <sgrubb at redhat.com<mailto:sgrubb at redhat.com>>
> Subject: Re: Linux Auditd app for Splunk
>
> "I've turned SELinux off ... and as per Dan Walsh that's a bad thing." Love it.
>
> Some questions.
>
> 1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.
>
> 2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?
>
> Thanks,
> Farhan
>
> On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb at redhat.com<mailto:sgrubb at redhat.com>> wrote:
> Hello,
>
>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>> This week I released version 2 of the Linux Auditd app for Splunk:
>> https://splunkbase.splunk.com/app/2642/
>
>> Be sure to let me know if you have any suggestions for improvements.
>
> Thanks for posting this. Its good to see utilities like this supporting the audit daemon.
>
> If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com<mailto:Linux-audit at redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/6f026b8c/attachment.html>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 31 Mar 2016 07:33:18 -0400
> From: Kangkook Jee <aixer77 at gmail.com>
> To: Steve Grubb <sgrubb at redhat.com>
> Cc: linux-audit at redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> Message-ID: <46420AF1-CBB8-45E2-B0BA-71A788AEEC43 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Dear Steve,
>
> Thanks a lot for your quick response.
> Would you tell me from what saddr fields that you get the port number value ?779??
>
> This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?
>
> Thanks again!
>
> Regards, Kangkook
>
>
>> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>>> If I understood correctly, connect() should return error when
>>> sin_port field is set with '0'. Would anyone explain this to me or
>>> help me with fix this problem?
>>
>> I get 779 as the port from your event.
>>
>> -Steve
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/5ccc071f/attachment.html>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 31 Mar 2016 08:54:30 -0400
> From: Kangkook Jee <aixer77 at gmail.com>
> To: Steve Grubb <sgrubb at redhat.com>
> Cc: linux-audit at redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
>
> Message-ID: <AE5F3C07-3DA7-4DD9-9B9D-7807518DB4A6 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> I checked out with strings that I provided from the previous email.
>
> The first 3 ones gave me proper port numbers.
>
> $ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
> 020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568) $ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
> 0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416) $ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
> 0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)
>
>
> but, last three one didn?t
>
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>
> Would you check this out?
>
> /Kangkook
>
>> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>>> If I understood correctly, connect() should return error when
>>> sin_port field is set with '0'. Would anyone explain this to me or
>>> help me with fix this problem?
>>
>> I get 779 as the port from your event.
>>
>> -Steve
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 31 Mar 2016 10:49:28 +0200
> From: Jiri Slaby <jslaby at suse.cz>
> To: paul at paul-moore.com
> Cc: linux-audit at redhat.com, Jiri Slaby <jslaby at suse.cz>,
> linux-kernel at vger.kernel.org
> Subject: [PATCH] audit: cleanup prune_tree_thread
> Message-ID: <1459414168-5010-1-git-send-email-jslaby at suse.cz>
>
> We can use kthread_run instead of kthread_create+wake_up_process for creating the thread.
>
> We do not need to set the task state to TASK_RUNNING after schedule(), the process is in that state already.
>
> And we do not need to set the state to TASK_INTERRUPTIBLE when not doing schedule() as we set the state to TASK_RUNNING immediately afterwards.
>
> Signed-off-by: Jiri Slaby <jslaby at suse.cz>
> Cc: Paul Moore <paul at paul-moore.com>
> Cc: Eric Paris <eparis at redhat.com>
> Cc: <linux-audit at redhat.com>
> ---
> kernel/audit_tree.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
>
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 5efe9b299a12..25772476fa4a 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg) static int prune_tree_thread(void *unused) {
> for (;;) {
> - set_current_state(TASK_INTERRUPTIBLE);
> - if (list_empty(&prune_list))
> + if (list_empty(&prune_list)) {
> + set_current_state(TASK_INTERRUPTIBLE);
> schedule();
> - __set_current_state(TASK_RUNNING);
> + }
>
> mutex_lock(&audit_cmd_mutex);
> mutex_lock(&audit_filter_mutex);
> @@ -693,16 +693,14 @@ static int audit_launch_prune(void) {
> if (prune_thread)
> return 0;
> - prune_thread = kthread_create(prune_tree_thread, NULL,
> + prune_thread = kthread_run(prune_tree_thread, NULL,
> "audit_prune_tree");
> if (IS_ERR(prune_thread)) {
> pr_err("cannot start thread audit_prune_tree");
> prune_thread = NULL;
> return -ENOMEM;
> - } else {
> - wake_up_process(prune_thread);
> - return 0;
> }
> + return 0;
> }
>
> /* called with audit_filter_mutex */
> --
> 2.7.4
>
>
>
> ------------------------------
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
> End of Linux-audit Digest, Vol 138, Issue 9
> *******************************************
>
> !!!*************************************************************************************
> "Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
>
> This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list