diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 5699cfef72e..dbf1c02b828 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,6 +15,7 @@ /packages/atlassian_confluence @elastic/security-external-integrations /packages/atlassian_jira @elastic/security-external-integrations /packages/auditd @elastic/security-external-integrations +/packages/auditd_manager @elastic/security-external-integrations /packages/auth0 @elastic/security-external-integrations /packages/aws_logs @elastic/obs-cloud-monitoring /packages/aws @elastic/obs-cloud-monitoring diff --git a/packages/auditd/_dev/build/docs/README.md b/packages/auditd/_dev/build/docs/README.md index eb026ef8085..1db09b1a09e 100644 --- a/packages/auditd/_dev/build/docs/README.md +++ b/packages/auditd/_dev/build/docs/README.md @@ -1,6 +1,6 @@ -# Auditd Integration +# Auditd Logs Integration -The Auditd integration collects and parses logs from the audit daemon (`auditd`). +The Auditd Logs integration collects and parses logs from the audit daemon (`auditd`). ## Compatibility @@ -8,11 +8,7 @@ The integration was tested with logs from `auditd` on OSes like CentOS 6 and Cen This integration is not available for Windows. -## Logs - -### Auditd log - -This is the Auditd `log` dataset. +## Auditd Logs {{event "log"}} diff --git a/packages/auditd/changelog.yml b/packages/auditd/changelog.yml index 323c317ee68..56a6b527ef1 100644 --- a/packages/auditd/changelog.yml +++ b/packages/auditd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.1.0" + changes: + - description: Change title to Auditd Logs + type: enhancement + link: https://github.com/elastic/integrations/pull/2763 - version: "3.0.0" changes: - description: Migrate map visualisation from tile_map to map object diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md index 69ea153b6fc..85f343c361c 100644 --- a/packages/auditd/docs/README.md +++ b/packages/auditd/docs/README.md @@ -1,6 +1,6 @@ -# Auditd Integration +# Auditd Logs Integration -The Auditd integration collects and parses logs from the audit daemon (`auditd`). +The Auditd Logs integration collects and parses logs from the audit daemon (`auditd`). ## Compatibility @@ -8,11 +8,7 @@ The integration was tested with logs from `auditd` on OSes like CentOS 6 and Cen This integration is not available for Windows. -## Logs - -### Auditd log - -This is the Auditd `log` dataset. +## Auditd Logs An example event for `log` looks as following: diff --git a/packages/auditd/manifest.yml b/packages/auditd/manifest.yml index 350a8b97f75..d0978865445 100644 --- a/packages/auditd/manifest.yml +++ b/packages/auditd/manifest.yml @@ -1,6 +1,6 @@ name: auditd -title: Auditd -version: 3.0.0 +title: Auditd Logs +version: 3.1.0 release: ga description: Collect logs from Linux audit daemon with Elastic Agent. type: integration diff --git a/packages/auditd_manager/_dev/build/build.yml b/packages/auditd_manager/_dev/build/build.yml new file mode 100644 index 00000000000..d61527283ec --- /dev/null +++ b/packages/auditd_manager/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.2 diff --git a/packages/auditd_manager/_dev/build/docs/README.md b/packages/auditd_manager/_dev/build/docs/README.md new file mode 100644 index 00000000000..b330276b185 --- /dev/null +++ b/packages/auditd_manager/_dev/build/docs/README.md @@ -0,0 +1,112 @@ +# Auditd Manager Integration + +The Auditd Manager Integration receives audit events from the Linux Audit Framework that +is a part of the Linux kernel. + +This integration is available only for Linux. + +## How it works + +This integration establishes a subscription to the kernel to receive the events +as they occur. + +The Linux Audit Framework can send multiple messages for a single auditable +event. For example, a `rename` syscall causes the kernel to send eight separate +messages. Each message describes a different aspect of the activity that is +occurring (the syscall itself, file paths, current working directory, process +title). This integration will combine all of the data from each of the messages +into a single event. + +Messages for one event can be interleaved with messages from another event. This +module will buffer the messages in order to combine related messages into a +single event even if they arrive interleaved or out of order. + +## Useful commands + +When running this integration, you might find that other monitoring tools interfere with it. + +For example, you might encounter errors if another process, such as `auditd`, is +registered to receive data from the Linux Audit Framework. You can use these +commands to see if the `auditd` service is running and stop it: + +* See if `auditd` is running: + +```shell +service auditd status +``` + +* Stop the `auditd` service: + +```shell +service auditd stop +``` + +* Disable `auditd` from starting on boot: + +```shell +chkconfig auditd off +``` + +To save CPU usage and disk space, you can use this command to stop `journald` +from listening to audit messages: + +```shell +systemctl mask systemd-journald-audit.socket +``` + +## Audit rules + +The audit rules are where you configure the activities that are audited. These +rules are configured as either syscalls or files that should be monitored. For +example you can track all `connect` syscalls or file system writes to +`/etc/passwd`. + +Auditing a large number of syscalls can place a heavy load on the system so +consider carefully the rules you define and try to apply filters in the rules +themselves to be as selective as possible. + +The kernel evaluates the rules in the order in which they were defined so place +the most active rules first in order to speed up evaluation. + +You can assign keys to each rule for better identification of the rule that +triggered an event and easier filtering later in Elasticsearch. + +Defining any audit rules in the config causes `elastic-agent` to purge all +existing audit rules prior to adding the rules specified in the config. +Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule. + +Examples: + +```sh +## If you are on a 64 bit platform, everything should be running +## in 64 bit mode. This rule will detect any use of the 32 bit syscalls +## because this might be a sign of someone exploiting a hole in the 32 +## bit API. +-a always,exit -F arch=b32 -S all -F key=32bit-abi + +## Executions. +-a always,exit -F arch=b64 -S execve,execveat -k exec + +## External access (warning: these can be expensive to audit). +-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access + +## Unauthorized access attempts. +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access + +# Things that affect identity. +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity + +# Unauthorized access attempts to files (unsuccessful). +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access +``` + +{{event "auditd"}} + +{{fields "auditd"}} diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml new file mode 100644 index 00000000000..5b21722f731 --- /dev/null +++ b/packages/auditd_manager/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/2763 diff --git a/packages/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml b/packages/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml new file mode 100644 index 00000000000..531c24ced92 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml @@ -0,0 +1,8 @@ +version: "2.3" +services: + docker-custom-agent: + pid: host + cap_add: + - AUDIT_CONTROL + - AUDIT_READ + user: root diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json new file mode 100644 index 00000000000..0bd4a4af65d --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json @@ -0,0 +1,185 @@ +{ + "events": [ + { + "auditd": { + "data": { + "old-ses": "4294967295", + "tty": "(none)" + }, + "message_type": "login", + "result": "success", + "sequence": 1414, + "session": "58", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "1000", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=LOGIN msg=audit(1611244872.857:1414): pid=27681 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=58 res=1" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 27681 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "1000", + "name": "vagrant" + } + } + }, + { + "auditd": { + "data": { + "old-ses": "58", + "tty": "pts2" + }, + "message_type": "login", + "result": "success", + "sequence": 1465, + "session": "59", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "object": { + "primary": "1001", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=LOGIN msg=audit(1611244909.293:1465): pid=27768 uid=0 old-auid=1000 auid=1001 tty=pts2 old-ses=58 ses=59 res=1" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 27768 + }, + "related": { + "user": [ + "alice", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1001", + "name": "alice" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1000", + "name": "vagrant", + "old-auid": { + "id": "1000", + "name": "vagrant" + } + } + }, + { + "auditd": { + "data": { + "new_ses": "1172", + "old_ses": "4294967295" + }, + "message_type": "login", + "result": "unknown", + "sequence": 7734, + "session": "", + "summary": { + "actor": { + "primary": "4294967295", + "secondary": "root" + }, + "object": { + "primary": "0", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=LOGIN msg=audit(1234877011.799:7734): login pid=26125 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1172" + ], + "outcome": "unknown", + "type": [ + "start" + ] + }, + "process": { + "pid": 26125 + }, + "related": { + "user": [ + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "new_auid": { + "id": "0", + "name": "root" + }, + "old_auid": { + "id": "4294967295" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json-expected.json new file mode 100644 index 00000000000..773dfa829ce --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json-expected.json @@ -0,0 +1,211 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "old_ses": "4294967295", + "tty": "(none)" + }, + "message_type": "login", + "messages": [ + "type=LOGIN msg=audit(1611244872.857:1414): pid=27681 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=58 res=1" + ], + "result": "success", + "session": "58", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "object": { + "primary": "1000", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=LOGIN msg=audit(1611244872.857:1414): pid=27681 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=58 res=1", + "outcome": "success", + "sequence": 1414, + "type": [ + "start" + ] + }, + "process": { + "pid": 27681 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1000", + "name": "vagrant" + } + } + }, + { + "auditd": { + "data": { + "old_ses": "58", + "tty": "pts2" + }, + "message_type": "login", + "messages": [ + "type=LOGIN msg=audit(1611244909.293:1465): pid=27768 uid=0 old-auid=1000 auid=1001 tty=pts2 old-ses=58 ses=59 res=1" + ], + "result": "success", + "session": "59", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "object": { + "primary": "1001", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1001", + "name": "alice" + }, + "old_auid": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=LOGIN msg=audit(1611244909.293:1465): pid=27768 uid=0 old-auid=1000 auid=1001 tty=pts2 old-ses=58 ses=59 res=1", + "outcome": "success", + "sequence": 1465, + "type": [ + "start" + ] + }, + "process": { + "pid": 27768 + }, + "related": { + "user": [ + "alice", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "new_ses": "1172", + "old_ses": "4294967295" + }, + "message_type": "login", + "messages": [ + "type=LOGIN msg=audit(1234877011.799:7734): login pid=26125 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1172" + ], + "result": "unknown", + "summary": { + "actor": { + "primary": "4294967295", + "secondary": "root" + }, + "object": { + "primary": "0", + "type": "user-session" + } + }, + "user": { + "new_auid": { + "id": "0", + "name": "root" + }, + "old_auid": { + "id": "4294967295" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-login-id-to", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=LOGIN msg=audit(1234877011.799:7734): login pid=26125 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1172", + "outcome": "unknown", + "sequence": 7734, + "type": [ + "start" + ] + }, + "process": { + "pid": 26125 + }, + "related": { + "user": [ + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/centos7-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/centos7-events.json new file mode 100644 index 00000000000..2fe4a9e03e4 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/centos7-events.json @@ -0,0 +1,623 @@ +{ + "events": [ + { + "auditd": { + "data": { + "acct": "vagrant", + "grantors": "pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog", + "hostname": "10.0.2.2", + "op": "PAM:session_open", + "terminal": "ssh" + }, + "message_type": "user_start", + "result": "success", + "sequence": 425, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "10.0.2.2", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610992796.780:425): pid=10174 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct=\"vagrant\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 10174 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "10.0.2.2" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "sshd_t", + "level": "s0-s0", + "role": "system_r", + "user": "system_u" + } + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost.localdomain", + "op": "add-group", + "terminal": "pts/1" + }, + "message_type": "add_group", + "result": "success", + "sequence": 463, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "bob", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610992959.555:463): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct=\"bob\" exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "9999", + "name": "bob" + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 10246 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "localhost.localdomain", + "id": "1002", + "op": "add-user", + "terminal": "pts/1" + }, + "message_type": "add_user", + "result": "success", + "sequence": 464, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "1002", + "type": "account" + } + } + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_USER msg=audit(1610992959.558:464): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "creation" + ] + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 10246 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "1002", + "op": "changing-primary-group", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 629, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "oldbob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054112.528:629): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-primary-group id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20839 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "1002", + "op": "updating-home-dir-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 631, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "oldbob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054112.538:631): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20839 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "9999", + "op": "changing-uid", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 639, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054337.523:639): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-uid id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "9999", + "op": "updating-mail-file-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 641, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054337.530:641): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-mail-file-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "id": "9999", + "op": "updating-home-dir-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "result": "success", + "sequence": 642, + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + } + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_MGMT msg=audit(1611054337.531:642): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + }, + "target": { + "id": "9999", + "name": "bob" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/centos7-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/centos7-events.json-expected.json new file mode 100644 index 00000000000..431fa027d92 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/centos7-events.json-expected.json @@ -0,0 +1,695 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "acct": "vagrant", + "grantors": "pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog", + "hostname": "10.0.2.2", + "op": "PAM:session_open", + "terminal": "ssh" + }, + "message_type": "user_start", + "messages": [ + "type=USER_START msg=audit(1610992796.780:425): pid=10174 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct=\"vagrant\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "10.0.2.2", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "sshd_t", + "level": "s0-s0", + "role": "system_r", + "user": "system_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_START msg=audit(1610992796.780:425): pid=10174 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct=\"vagrant\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'", + "outcome": "success", + "sequence": 425, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 10174 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost.localdomain", + "op": "add-group", + "terminal": "pts/1" + }, + "message_type": "add_group", + "messages": [ + "type=ADD_GROUP msg=audit(1610992959.555:463): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct=\"bob\" exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "bob", + "type": "account" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": "type=ADD_GROUP msg=audit(1610992959.555:463): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct=\"bob\" exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 463, + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "9999", + "name": "bob" + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 10246 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "localhost.localdomain", + "op": "add-user", + "terminal": "pts/1" + }, + "message_type": "add_user", + "messages": [ + "type=ADD_USER msg=audit(1610992959.558:464): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "1002", + "type": "account" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "id": "1002", + "kind": "event", + "original": "type=ADD_USER msg=audit(1610992959.558:464): pid=10246 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user id=1002 exe=\"/usr/sbin/useradd\" hostname=localhost.localdomain addr=127.0.0.1 terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 464, + "type": [ + "user", + "creation" + ] + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 10246 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "op": "changing-primary-group", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "messages": [ + "type=USER_MGMT msg=audit(1611054112.528:629): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-primary-group id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "oldbob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "id": "1002", + "kind": "event", + "original": "type=USER_MGMT msg=audit(1611054112.528:629): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-primary-group id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 629, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20839 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "op": "updating-home-dir-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "messages": [ + "type=USER_MGMT msg=audit(1611054112.538:631): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "oldbob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "id": "1002", + "kind": "event", + "original": "type=USER_MGMT msg=audit(1611054112.538:631): pid=20839 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=1002 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 631, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20839 + }, + "related": { + "user": [ + "oldbob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1002", + "name": "oldbob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "op": "changing-uid", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "messages": [ + "type=USER_MGMT msg=audit(1611054337.523:639): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-uid id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "id": "9999", + "kind": "event", + "original": "type=USER_MGMT msg=audit(1611054337.523:639): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=changing-uid id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 639, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "op": "updating-mail-file-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "messages": [ + "type=USER_MGMT msg=audit(1611054337.530:641): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-mail-file-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "id": "9999", + "kind": "event", + "original": "type=USER_MGMT msg=audit(1611054337.530:641): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-mail-file-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 641, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "hostname": "localhost.localdomain", + "op": "updating-home-dir-owner", + "terminal": "pts/1" + }, + "message_type": "user_mgmt", + "messages": [ + "type=USER_MGMT msg=audit(1611054337.531:642): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'" + ], + "result": "success", + "session": "3", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/1", + "secondary": "localhost.localdomain", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "id": "9999", + "kind": "event", + "original": "type=USER_MGMT msg=audit(1611054337.531:642): pid=20862 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=updating-home-dir-owner id=9999 exe=\"/usr/sbin/usermod\" hostname=localhost.localdomain addr=? terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 642, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 20862 + }, + "related": { + "user": [ + "bob", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "9999", + "name": "bob" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/chown-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/chown-events.json new file mode 100644 index 00000000000..ce71977b773 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/chown-events.json @@ -0,0 +1,138 @@ +{ + "events": [ + { + "auditd": { + "data": { + "a0": "ffffffffffffff9c", + "a1": "12d6210", + "a2": "3e9", + "a3": "ffffffff", + "arch": "x86_64", + "exit": "0", + "syscall": "fchownat", + "tty": "pts2" + }, + "message_type": "syscall", + "paths": [ + { + "cap_fe": "0", + "cap_fi": "0000000000000000", + "cap_fp": "0000000000000000", + "cap_fver": "0", + "dev": "fd:02", + "inode": "921833", + "item": "0", + "mode": "0100664", + "name": "test", + "obj_domain": "user_home_t", + "obj_level": "s0", + "obj_role": "object_r", + "obj_user": "unconfined_u", + "objtype": "NORMAL", + "ogid": "1000", + "ouid": "9999", + "rdev": "00:00" + } + ], + "result": "success", + "sequence": 263, + "session": "8", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chown", + "object": { + "primary": "test", + "type": "file" + } + } + }, + "event": { + "action": "changed-file-ownership-of", + "category": [ + "file" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611091464.740:263): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=12d6210 a2=3e9 a3=ffffffff items=1 ppid=9492 pid=9494 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=8 comm=\"chown\" exe=\"/usr/bin/chown\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=CWD msg=audit(1611091464.740:263): cwd=\"/home/vagrant\"", + "type=PATH msg=audit(1611091464.740:263): item=0 name=\"test\" inode=921833 dev=fd:02 mode=0100664 ouid=9999 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0", + "type=PROCTITLE msg=audit(1611091464.740:263): proctitle=63686F776E002D5200616C6963650074657374" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "file": { + "device": "00:00", + "gid": "1000", + "group": "vagrant", + "inode": "921833", + "mode": "0664", + "owner": "bob", + "path": "test", + "selinux": { + "domain": "user_home_t", + "level": "s0", + "role": "object_r", + "user": "unconfined_u" + }, + "uid": "9999" + }, + "process": { + "executable": "/usr/bin/chown", + "name": "chown", + "pid": 9494, + "parent": { + "pid": 9492 + }, + "title": "chown -R alice test", + "working_directory": "/home/vagrant" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/chown-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/chown-events.json-expected.json new file mode 100644 index 00000000000..0bcd8e7332b --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/chown-events.json-expected.json @@ -0,0 +1,146 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "a0": "ffffffffffffff9c", + "a1": "12d6210", + "a2": "3e9", + "a3": "ffffffff", + "arch": "x86_64", + "exit": 0, + "syscall": "fchownat", + "tty": "pts2" + }, + "file": { + "selinux": { + "domain": "user_home_t", + "level": "s0", + "role": "object_r", + "user": "unconfined_u" + } + }, + "message_type": "syscall", + "messages": [ + "type=SYSCALL msg=audit(1611091464.740:263): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=12d6210 a2=3e9 a3=ffffffff items=1 ppid=9492 pid=9494 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=8 comm=\"chown\" exe=\"/usr/bin/chown\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=CWD msg=audit(1611091464.740:263): cwd=\"/home/vagrant\"", + "type=PATH msg=audit(1611091464.740:263): item=0 name=\"test\" inode=921833 dev=fd:02 mode=0100664 ouid=9999 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0", + "type=PROCTITLE msg=audit(1611091464.740:263): proctitle=63686F776E002D5200616C6963650074657374" + ], + "paths": [ + { + "cap_fe": "0", + "cap_fi": "0000000000000000", + "cap_fp": "0000000000000000", + "cap_fver": "0", + "dev": "fd:02", + "inode": "921833", + "item": "0", + "mode": "0100664", + "name": "test", + "obj_domain": "user_home_t", + "obj_level": "s0", + "obj_role": "object_r", + "obj_user": "unconfined_u", + "objtype": "NORMAL", + "ogid": "1000", + "ouid": "9999", + "rdev": "00:00" + } + ], + "result": "success", + "session": "8", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chown", + "object": { + "primary": "test", + "type": "file" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-file-ownership-of", + "category": [ + "file" + ], + "kind": "event", + "original": "type=SYSCALL msg=audit(1611091464.740:263): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=12d6210 a2=3e9 a3=ffffffff items=1 ppid=9492 pid=9494 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=8 comm=\"chown\" exe=\"/usr/bin/chown\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"\ntype=CWD msg=audit(1611091464.740:263): cwd=\"/home/vagrant\"\ntype=PATH msg=audit(1611091464.740:263): item=0 name=\"test\" inode=921833 dev=fd:02 mode=0100664 ouid=9999 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0\ntype=PROCTITLE msg=audit(1611091464.740:263): proctitle=63686F776E002D5200616C6963650074657374", + "outcome": "success", + "sequence": 263, + "type": [ + "change" + ] + }, + "file": { + "device": "00:00", + "gid": "1000", + "group": "vagrant", + "inode": "921833", + "mode": "0664", + "owner": "bob", + "path": "test", + "uid": "9999" + }, + "process": { + "executable": "/usr/bin/chown", + "name": "chown", + "parent": { + "pid": 9492 + }, + "pid": 9494, + "title": "chown -R alice test", + "working_directory": "/home/vagrant" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/passwd-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/passwd-events.json new file mode 100644 index 00000000000..723baf89b90 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/passwd-events.json @@ -0,0 +1,284 @@ +{ + "events": [ + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:chauthtok", + "terminal": "pts/1" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 797, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/passwd", + "object": { + "primary": "pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610986912.458:797): pid=13107 uid=0 auid=1002 ses=15 msg='op=PAM:chauthtok acct=\"bob\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/bin/passwd", + "pid": 13107 + }, + "related": { + "user": [ + "bob", + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob", + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1003", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 805, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610987544.541:805): pid=13379 uid=0 auid=1000 ses=14 msg='op=changing comment id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 13379 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "hostname": "ubuntu-bionic", + "id": "1003", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 810, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/2", + "secondary": "ubuntu-bionic", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610987708.643:810): pid=13519 uid=0 auid=1000 ses=14 msg='op=changing name id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 13519 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "ubuntu-bionic", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 815, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/groupmod", + "object": { + "primary": "pts/2", + "secondary": "ubuntu-bionic", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610988774.279:815): pid=13812 uid=0 auid=1000 ses=14 msg='op=changing /etc/group; group bob/1003, new name: bobby acct=\"bob\" exe=\"/usr/sbin/groupmod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/sbin/groupmod", + "pid": 13812 + }, + "related": { + "user": [ + "bob", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1000", + "name": "vagrant" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/passwd-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/passwd-events.json-expected.json new file mode 100644 index 00000000000..b95ee3cd793 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/passwd-events.json-expected.json @@ -0,0 +1,320 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:chauthtok", + "terminal": "pts/1" + }, + "message_type": "user_chauthtok", + "messages": [ + "type=USER_CHAUTHTOK msg=audit(1610986912.458:797): pid=13107 uid=0 auid=1002 ses=15 msg='op=PAM:chauthtok acct=\"bob\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/passwd", + "object": { + "primary": "pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": "type=USER_CHAUTHTOK msg=audit(1610986912.458:797): pid=13107 uid=0 auid=1002 ses=15 msg='op=PAM:chauthtok acct=\"bob\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 797, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/bin/passwd", + "pid": 13107 + }, + "related": { + "user": [ + "bob", + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob", + "target": { + "id": "9999", + "name": "bob" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "messages": [ + "type=USER_CHAUTHTOK msg=audit(1610987544.541:805): pid=13379 uid=0 auid=1000 ses=14 msg='op=changing comment id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "id": "1003", + "kind": "event", + "original": "type=USER_CHAUTHTOK msg=audit(1610987544.541:805): pid=13379 uid=0 auid=1000 ses=14 msg='op=changing comment id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 805, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 13379 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "hostname": "ubuntu-bionic", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "messages": [ + "type=USER_CHAUTHTOK msg=audit(1610987708.643:810): pid=13519 uid=0 auid=1000 ses=14 msg='op=changing name id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/sbin/usermod", + "object": { + "primary": "pts/2", + "secondary": "ubuntu-bionic", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "id": "1003", + "kind": "event", + "original": "type=USER_CHAUTHTOK msg=audit(1610987708.643:810): pid=13519 uid=0 auid=1000 ses=14 msg='op=changing name id=1003 exe=\"/usr/sbin/usermod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 810, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/sbin/usermod", + "pid": 13519 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "ubuntu-bionic", + "op": "changing", + "terminal": "pts/2" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610988774.279:815): pid=13812 uid=0 auid=1000 ses=14 msg='op=changing /etc/group; group bob/1003, new name: bobby acct=\"bob\" exe=\"/usr/sbin/groupmod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "bob" + }, + "how": "/usr/sbin/groupmod", + "object": { + "primary": "pts/2", + "secondary": "ubuntu-bionic", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610988774.279:815): pid=13812 uid=0 auid=1000 ses=14 msg='op=changing /etc/group; group bob/1003, new name: bobby acct=\"bob\" exe=\"/usr/sbin/groupmod\" hostname=ubuntu-bionic addr=? terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 815, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/sbin/groupmod", + "pid": 13812 + }, + "related": { + "user": [ + "bob", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1000", + "name": "vagrant" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/setuid-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/setuid-events.json new file mode 100644 index 00000000000..01e568c6b0a --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/setuid-events.json @@ -0,0 +1,299 @@ +{ + "events": [ + { + "auditd": { + "data": { + "a0": "0", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": "0", + "syscall": "setgid", + "tty": "pts0" + }, + "message_type": "syscall", + "result": "success", + "sequence": 531, + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setgid", + "object": { + "type": "process" + } + } + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611163038.267:531): arch=c000003e syscall=106 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:531): proctitle=\"/tmp/setuids\"" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "pid": 19930, + "parent": { + "pid": 1541 + }, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + { + "auditd": { + "data": { + "a0": "ffffffffffffffff", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": "0", + "syscall": "setresuid", + "tty": "pts0" + }, + "message_type": "syscall", + "result": "success", + "sequence": 529, + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setresuid", + "object": { + "type": "process" + } + } + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611163038.267:529): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:529): proctitle=\"/tmp/setuids\"" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "pid": 19930, + "parent": { + "pid": 1541 + }, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + }, + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + { + "auditd": { + "data": { + "a0": "0", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": "0", + "syscall": "setuid", + "tty": "pts0" + }, + "message_type": "syscall", + "result": "success", + "sequence": 530, + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setuid", + "object": { + "type": "process" + } + } + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=SYSCALL msg=audit(1611163038.267:530): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=0 fsgid=1000 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:530): proctitle=\"/tmp/setuids\"" + ], + "outcome": "success", + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "pid": 19930, + "parent": { + "pid": 1541 + }, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "access" + ], + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "0", + "name": "root" + }, + "filesystem": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant", + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/setuid-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/setuid-events.json-expected.json new file mode 100644 index 00000000000..d55cd9a5477 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/setuid-events.json-expected.json @@ -0,0 +1,317 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "a0": "0", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": 0, + "syscall": "setgid", + "tty": "pts0" + }, + "message_type": "syscall", + "messages": [ + "type=SYSCALL msg=audit(1611163038.267:531): arch=c000003e syscall=106 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:531): proctitle=\"/tmp/setuids\"" + ], + "result": "success", + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setgid", + "object": { + "type": "process" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": "type=SYSCALL msg=audit(1611163038.267:531): arch=c000003e syscall=106 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"\ntype=PROCTITLE msg=audit(1611163038.267:531): proctitle=\"/tmp/setuids\"", + "outcome": "success", + "sequence": 531, + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "parent": { + "pid": 1541 + }, + "pid": 19930, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "a0": "ffffffffffffffff", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": 0, + "syscall": "setresuid", + "tty": "pts0" + }, + "message_type": "syscall", + "messages": [ + "type=SYSCALL msg=audit(1611163038.267:529): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:529): proctitle=\"/tmp/setuids\"" + ], + "result": "success", + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setresuid", + "object": { + "type": "process" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": "type=SYSCALL msg=audit(1611163038.267:529): arch=c000003e syscall=117 success=yes exit=0 a0=ffffffffffffffff a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"\ntype=PROCTITLE msg=audit(1611163038.267:529): proctitle=\"/tmp/setuids\"", + "outcome": "success", + "sequence": 529, + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "parent": { + "pid": 1541 + }, + "pid": 19930, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "a0": "0", + "a1": "3e8", + "a2": "ffffffffffffffff", + "a3": "7ffe354fcc60", + "arch": "x86_64", + "exit": 0, + "syscall": "setuid", + "tty": "pts0" + }, + "message_type": "syscall", + "messages": [ + "type=SYSCALL msg=audit(1611163038.267:530): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=0 fsgid=1000 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"", + "type=PROCTITLE msg=audit(1611163038.267:530): proctitle=\"/tmp/setuids\"" + ], + "result": "success", + "session": "1", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "vagrant" + }, + "how": "setuid", + "object": { + "type": "process" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "filesystem": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "selinux": { + "category": "c0.c1023", + "domain": "unconfined_t", + "level": "s0-s0", + "role": "unconfined_r", + "user": "unconfined_u" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-identity-of", + "category": [ + "process" + ], + "kind": "event", + "original": "type=SYSCALL msg=audit(1611163038.267:530): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=3e8 a2=ffffffffffffffff a3=7ffe354fcc60 items=0 ppid=1541 pid=19930 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=0 fsgid=1000 tty=pts0 ses=1 comm=\"setuids\" exe=\"/tmp/setuids\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"access\"\ntype=PROCTITLE msg=audit(1611163038.267:530): proctitle=\"/tmp/setuids\"", + "outcome": "success", + "sequence": 530, + "type": [ + "change" + ] + }, + "process": { + "executable": "/tmp/setuids", + "name": "setuids", + "parent": { + "pid": 1541 + }, + "pid": 19930, + "title": "/tmp/setuids" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "0", + "name": "root" + }, + "group": { + "id": "1000", + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-asuser-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-asuser-events.json new file mode 100644 index 00000000000..7a8d8af2869 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-asuser-events.json @@ -0,0 +1,324 @@ +{ + "events": [ + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 458, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 459, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "bash", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "result": "success", + "sequence": 460, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "bash", + "type": "process" + } + } + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 14178, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "result": "success", + "sequence": 461, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 462, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-asuser-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-asuser-events.json-expected.json new file mode 100644 index 00000000000..25909ee8964 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-asuser-events.json-expected.json @@ -0,0 +1,369 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 458, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 459, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "bash", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "messages": [ + "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "bash", + "type": "process" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 460, + "type": [ + "start" + ] + }, + "process": { + "pid": 14178, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "messages": [ + "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 461, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "messages": [ + "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 462, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-events.json new file mode 100644 index 00000000000..cafc4722f0c --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-events.json @@ -0,0 +1,1295 @@ +{ + "events": [ + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 458, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 459, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "bash", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "result": "success", + "sequence": 460, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "bash", + "type": "process" + } + } + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 14178, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "result": "success", + "sequence": 461, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 462, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "fail", + "sequence": 457, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610876634.103:457): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=failed'" + ], + "outcome": "failure", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_acq", + "result": "success", + "sequence": 434, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "acquired-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_ACQ msg=audit(1610735886.818:434): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 433, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610735886.818:433): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 432, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610735886.818:432): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 431, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610735886.818:431): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "result": "success", + "sequence": 430, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_REFR msg=audit(1610735886.818:430): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "su", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "result": "success", + "sequence": 429, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "su", + "type": "process" + } + } + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": [ + "type=USER_CMD msg=audit(1610735886.818:429): pid=11791 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"su\" terminal=pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "process": { + "pid": 11791, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 428, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610735886.818:428): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 427, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610735886.818:427): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "su", + "selected-context": "1234", + "terminal": "/dev/pts/1" + }, + "message_type": "user_role_change", + "result": "success", + "sequence": 436, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "1234", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-role-to", + "category": "mac", + "kind": "event", + "original": [ + "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'" + ], + "outcome": "success" + }, + "process": { + "executable": "/bin/su", + "pid": 11793 + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "id": "0", + "name": "root" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "result": "success", + "sequence": 435, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_START msg=audit(1610735886.822:435): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_disp", + "result": "success", + "sequence": 440, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "disposed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_DISP msg=audit(1610735949.474:440): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:session_close", + "terminal": "/dev/pts/1" + }, + "message_type": "user_end", + "result": "success", + "sequence": 439, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "ended-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_END msg=audit(1610735949.474:439): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_disp", + "result": "success", + "sequence": 438, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "disposed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_DISP msg=audit(1610735949.474:438): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:session_close", + "terminal": "/dev/pts/1" + }, + "message_type": "user_end", + "result": "success", + "sequence": 437, + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "ended-session", + "category": [ + "session" + ], + "kind": "event", + "original": [ + "type=USER_END msg=audit(1610735949.474:437): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-events.json-expected.json new file mode 100644 index 00000000000..87f793a3521 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/sudo-events.json-expected.json @@ -0,0 +1,1475 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1610876676.623:458): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 458, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610876676.623:459): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 459, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "bash", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "messages": [ + "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "bash", + "type": "process" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": "type=USER_CMD msg=audit(1610876676.623:460): pid=14178 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"bash\" terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 460, + "type": [ + "start" + ] + }, + "process": { + "pid": 14178, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "messages": [ + "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_REFR msg=audit(1610876676.623:461): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 461, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "messages": [ + "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "bob" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_START msg=audit(1610876676.623:462): pid=14178 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"bob\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 462, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "bob", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1610876634.103:457): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=failed'" + ], + "result": "fail", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1610876634.103:457): pid=14178 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=failed'", + "outcome": "failure", + "sequence": 457, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 14178 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_acq", + "messages": [ + "type=CRED_ACQ msg=audit(1610735886.818:434): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "acquired-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_ACQ msg=audit(1610735886.818:434): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 434, + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610735886.818:433): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610735886.818:433): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 433, + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1610735886.818:432): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1610735886.818:432): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 432, + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "messages": [ + "type=USER_START msg=audit(1610735886.818:431): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_START msg=audit(1610735886.818:431): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 431, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_refr", + "messages": [ + "type=CRED_REFR msg=audit(1610735886.818:430): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "refreshed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_REFR msg=audit(1610735886.818:430): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 430, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "cmd": "su", + "terminal": "pts/1" + }, + "message_type": "user_cmd", + "messages": [ + "type=USER_CMD msg=audit(1610735886.818:429): pid=11791 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"su\" terminal=pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "oldbob" + }, + "object": { + "primary": "su", + "type": "process" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "ran-command", + "category": [ + "process" + ], + "kind": "event", + "original": "type=USER_CMD msg=audit(1610735886.818:429): pid=11791 uid=1002 auid=1002 ses=15 msg='cwd=\"/home/alice\" cmd=\"su\" terminal=pts/1 res=success'", + "outcome": "success", + "sequence": 429, + "type": [ + "start" + ] + }, + "process": { + "pid": 11791, + "working_directory": "/home/alice" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:accounting", + "terminal": "/dev/pts/1" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610735886.818:428): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610735886.818:428): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:accounting acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 428, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "alice", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/1" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1610735886.818:427): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "alice" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1610735886.818:427): pid=11791 uid=1002 auid=1002 ses=15 msg='op=PAM:authentication acct=\"alice\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 427, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "alice", + "oldbob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1001", + "name": "alice" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "su", + "selected_context": "1234", + "terminal": "/dev/pts/1" + }, + "message_type": "user_role_change", + "messages": [ + "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "1234", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-role-to", + "category": "mac", + "kind": "event", + "original": "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'", + "outcome": "success", + "sequence": 436 + }, + "process": { + "executable": "/bin/su", + "pid": 11793 + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "0", + "name": "root" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "hostname": "localhost", + "op": "PAM:session_open", + "terminal": "/dev/pts/1" + }, + "message_type": "user_start", + "messages": [ + "type=USER_START msg=audit(1610735886.822:435): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "started-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_START msg=audit(1610735886.822:435): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_open acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 435, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_disp", + "messages": [ + "type=CRED_DISP msg=audit(1610735949.474:440): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "disposed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_DISP msg=audit(1610735949.474:440): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 440, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:session_close", + "terminal": "/dev/pts/1" + }, + "message_type": "user_end", + "messages": [ + "type=USER_END msg=audit(1610735949.474:439): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/usr/bin/sudo", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "ended-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_END msg=audit(1610735949.474:439): pid=11791 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 439, + "type": [ + "end" + ] + }, + "process": { + "executable": "/usr/bin/sudo", + "pid": 11791 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "/dev/pts/1" + }, + "message_type": "cred_disp", + "messages": [ + "type=CRED_DISP msg=audit(1610735949.474:438): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "disposed-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_DISP msg=audit(1610735949.474:438): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:setcred acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 438, + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:session_close", + "terminal": "/dev/pts/1" + }, + "message_type": "user_end", + "messages": [ + "type=USER_END msg=audit(1610735949.474:437): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'" + ], + "result": "success", + "session": "15", + "summary": { + "actor": { + "primary": "oldbob", + "secondary": "root" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/1", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1002", + "name": "oldbob" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "ended-session", + "category": [ + "session" + ], + "kind": "event", + "original": "type=USER_END msg=audit(1610735949.474:437): pid=11792 uid=0 auid=1002 ses=15 msg='op=PAM:session_close acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success'", + "outcome": "success", + "sequence": 437, + "type": [ + "end" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11792 + }, + "related": { + "user": [ + "oldbob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1002", + "name": "oldbob" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-common-config.yml b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/useradd-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/useradd-events.json new file mode 100644 index 00000000000..142c4fa7e00 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/useradd-events.json @@ -0,0 +1,553 @@ +{ + "events": [ + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_group", + "result": "success", + "sequence": 584, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_group", + "result": "success", + "sequence": 586, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "terminal": "pts/2" + }, + "message_type": "add_group", + "result": "success", + "sequence": 587, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "id": "1004", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_user", + "result": "success", + "sequence": 591, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "1004", + "type": "account" + } + } + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "creation" + ] + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 2945 + }, + "related": { + "user": [ + "root", + "testuser", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1004", + "name": "testuser" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "localhost", + "reset": "0", + "terminal": "/dev/pts/2" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 593, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "testuser" + }, + "how": "/sbin/pam_tally2", + "object": { + "primary": "/dev/pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/sbin/pam_tally2", + "pid": 2948 + }, + "related": { + "user": [ + "testuser", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "1004", + "name": "testuser" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "charlie", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:chauthtok", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "result": "success", + "sequence": 594, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/bin/passwd", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": [ + "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/bin/passwd", + "pid": 2953 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:authentication", + "terminal": "pts/2" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 595, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chfn", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/chfn", + "pid": 2954 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:accounting", + "terminal": "pts/2" + }, + "message_type": "user_acct", + "result": "success", + "sequence": 596, + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chfn", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/chfn", + "pid": 2954 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + }, + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/useradd-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/useradd-events.json-expected.json new file mode 100644 index 00000000000..5ab3d546003 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/useradd-events.json-expected.json @@ -0,0 +1,625 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_group", + "messages": [ + "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "id": "1004", + "kind": "event", + "original": "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 584, + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_group", + "messages": [ + "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "id": "1004", + "kind": "event", + "original": "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 586, + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "terminal": "pts/2" + }, + "message_type": "add_group", + "messages": [ + "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/groupadd", + "object": { + "primary": "1004", + "type": "account" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "added-group-account-to", + "category": [ + "iam" + ], + "id": "1004", + "kind": "event", + "original": "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 587, + "type": [ + "group", + "creation" + ] + }, + "group": { + "id": "1004", + "name": "testgroup" + }, + "process": { + "executable": "/usr/sbin/groupadd", + "pid": 2940 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "adding", + "terminal": "pts/2" + }, + "message_type": "add_user", + "messages": [ + "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/sbin/useradd", + "object": { + "primary": "1004", + "type": "account" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "id": "1004", + "kind": "event", + "original": "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 591, + "type": [ + "user", + "creation" + ] + }, + "process": { + "executable": "/usr/sbin/useradd", + "pid": 2945 + }, + "related": { + "user": [ + "root", + "testuser", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1004", + "name": "testuser" + } + } + }, + { + "auditd": { + "data": { + "addr": "127.0.0.1", + "hostname": "localhost", + "reset": "0", + "terminal": "/dev/pts/2" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "testuser" + }, + "how": "/sbin/pam_tally2", + "object": { + "primary": "/dev/pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'", + "outcome": "success", + "sequence": 593, + "type": [ + "info" + ] + }, + "process": { + "executable": "/sbin/pam_tally2", + "pid": 2948 + }, + "related": { + "user": [ + "testuser", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "1004", + "name": "testuser" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "charlie", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:chauthtok", + "terminal": "pts/2" + }, + "message_type": "user_chauthtok", + "messages": [ + "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "charlie" + }, + "how": "/usr/bin/passwd", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "kind": "event", + "original": "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 594, + "type": [ + "user", + "change" + ] + }, + "process": { + "executable": "/usr/bin/passwd", + "pid": 2953 + }, + "related": { + "user": [ + "charlie", + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant", + "target": { + "id": "1003", + "name": "charlie" + } + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:authentication", + "terminal": "pts/2" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chfn", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 595, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/chfn", + "pid": 2954 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + }, + { + "auditd": { + "data": { + "acct": "root", + "addr": "127.0.0.1", + "hostname": "ubuntu-bionic", + "op": "PAM:accounting", + "terminal": "pts/2" + }, + "message_type": "user_acct", + "messages": [ + "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'" + ], + "result": "success", + "session": "14", + "summary": { + "actor": { + "primary": "vagrant", + "secondary": "root" + }, + "how": "/usr/bin/chfn", + "object": { + "primary": "pts/2", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1000", + "name": "vagrant" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "was-authorized", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "outcome": "success", + "sequence": 596, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/bin/chfn", + "pid": 2954 + }, + "related": { + "user": [ + "root", + "vagrant" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "0", + "name": "root" + }, + "id": "1000", + "name": "vagrant" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/userlogin-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/userlogin-events.json new file mode 100644 index 00000000000..f8b86cda68c --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/userlogin-events.json @@ -0,0 +1,257 @@ +{ + "events": [ + { + "auditd": { + "data": { + "acct": "(unknown)", + "hostname": "localhost", + "op": "login", + "terminal": "ssh" + }, + "message_type": "user_login", + "result": "fail", + "sequence": 110544844, + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown)" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "1.128.3.4", + "type": "user-session" + } + } + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_LOGIN msg=audit(1553501549.148:110544844): user pid=374 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"(unknown)\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=1.128.3.4 terminal=ssh res=failed'" + ], + "outcome": "failure", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 374 + }, + "related": { + "user": [ + "(unknown)" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "1.128.3.4" + }, + "user": { + "effective": { + "name": "(unknown)" + } + } + }, + { + "auditd": { + "data": { + "hostname": "1.128.3.4", + "id": "700", + "op": "login", + "terminal": "/dev/pts/0" + }, + "message_type": "user_login", + "result": "success", + "sequence": 110276965, + "session": "5388", + "summary": { + "actor": { + "primary": "700", + "secondary": "700" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "/dev/pts/0", + "secondary": "1.128.3.4", + "type": "user-session" + } + } + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_LOGIN msg=audit(1553452002.231:110276965): user pid=10318 uid=0 auid=700 ses=5388 msg='op=login id=700 exe=\"/usr/sbin/sshd\" hostname=1.128.3.4 addr=1.128.3.4 terminal=/dev/pts/0 res=success'" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 10318 + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "1.128.3.4" + }, + "user": { + "audit": { + "id": "700" + }, + "id": "700" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/0" + }, + "message_type": "user_auth", + "result": "success", + "sequence": 21114, + "session": "62", + "summary": { + "actor": { + "primary": "root", + "secondary": "bob" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/0", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct=\"bob\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/0 res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11312 + }, + "related": { + "user": [ + "bob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "0", + "name": "root" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "0", + "name": "root" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "ssh" + }, + "message_type": "cred_acq", + "result": "success", + "sequence": 4088825, + "session": "352", + "summary": { + "actor": { + "primary": "alice", + "secondary": "bob" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "127.0.0.1", + "type": "user-session" + } + } + }, + "event": { + "action": "acquired-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": [ + "type=CRED_ACQ msg=audit(1553557236.015:4088825): pid=9033 uid=0 auid=1001 ses=352 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=127.0.0.1 terminal=ssh res=success'" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 9033 + }, + "related": { + "user": [ + "alice", + "bob" + ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "1001", + "name": "alice" + }, + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1001", + "name": "alice" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/userlogin-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/userlogin-events.json-expected.json new file mode 100644 index 00000000000..c0c03c7f483 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/userlogin-events.json-expected.json @@ -0,0 +1,291 @@ +{ + "expected": [ + { + "auditd": { + "data": { + "acct": "(unknown)", + "hostname": "localhost", + "op": "login", + "terminal": "ssh" + }, + "message_type": "user_login", + "messages": [ + "type=USER_LOGIN msg=audit(1553501549.148:110544844): user pid=374 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"(unknown)\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=1.128.3.4 terminal=ssh res=failed'" + ], + "result": "fail", + "summary": { + "actor": { + "primary": "unset", + "secondary": "(unknown)" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "1.128.3.4", + "type": "user-session" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_LOGIN msg=audit(1553501549.148:110544844): user pid=374 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"(unknown)\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=1.128.3.4 terminal=ssh res=failed'", + "outcome": "failure", + "sequence": 110544844, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 374 + }, + "related": { + "user": [ + "(unknown)" + ] + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "name": "(unknown)" + } + } + }, + { + "auditd": { + "data": { + "hostname": "1.128.3.4", + "op": "login", + "terminal": "/dev/pts/0" + }, + "message_type": "user_login", + "messages": [ + "type=USER_LOGIN msg=audit(1553452002.231:110276965): user pid=10318 uid=0 auid=700 ses=5388 msg='op=login id=700 exe=\"/usr/sbin/sshd\" hostname=1.128.3.4 addr=1.128.3.4 terminal=/dev/pts/0 res=success'" + ], + "result": "success", + "session": "5388", + "summary": { + "actor": { + "primary": "700", + "secondary": "700" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "/dev/pts/0", + "secondary": "1.128.3.4", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "700" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "id": "700", + "kind": "event", + "original": "type=USER_LOGIN msg=audit(1553452002.231:110276965): user pid=10318 uid=0 auid=700 ses=5388 msg='op=login id=700 exe=\"/usr/sbin/sshd\" hostname=1.128.3.4 addr=1.128.3.4 terminal=/dev/pts/0 res=success'", + "outcome": "success", + "sequence": 110276965, + "type": [ + "start" + ] + }, + "network": { + "direction": "ingress" + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 10318 + }, + "service": { + "type": "auditd" + }, + "source": { + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "700" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:authentication", + "terminal": "/dev/pts/0" + }, + "message_type": "user_auth", + "messages": [ + "type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct=\"bob\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/0 res=success'" + ], + "result": "success", + "session": "62", + "summary": { + "actor": { + "primary": "root", + "secondary": "bob" + }, + "how": "/bin/su", + "object": { + "primary": "/dev/pts/0", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "0", + "name": "root" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "authenticated", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=USER_AUTH msg=audit(1552714590.571:21114): pid=11312 uid=0 auid=0 ses=62 msg='op=PAM:authentication acct=\"bob\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/0 res=success'", + "outcome": "success", + "sequence": 21114, + "type": [ + "info" + ] + }, + "process": { + "executable": "/bin/su", + "pid": 11312 + }, + "related": { + "user": [ + "bob", + "root" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "0", + "name": "root" + } + }, + { + "auditd": { + "data": { + "acct": "bob", + "addr": "127.0.0.1", + "hostname": "localhost", + "op": "PAM:setcred", + "terminal": "ssh" + }, + "message_type": "cred_acq", + "messages": [ + "type=CRED_ACQ msg=audit(1553557236.015:4088825): pid=9033 uid=0 auid=1001 ses=352 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=127.0.0.1 terminal=ssh res=success'" + ], + "result": "success", + "session": "352", + "summary": { + "actor": { + "primary": "alice", + "secondary": "bob" + }, + "how": "/usr/sbin/sshd", + "object": { + "primary": "ssh", + "secondary": "127.0.0.1", + "type": "user-session" + } + }, + "user": { + "audit": { + "id": "1001", + "name": "alice" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "acquired-credentials", + "category": [ + "authentication" + ], + "kind": "event", + "original": "type=CRED_ACQ msg=audit(1553557236.015:4088825): pid=9033 uid=0 auid=1001 ses=352 msg='op=PAM:setcred acct=\"bob\" exe=\"/usr/sbin/sshd\" hostname=localhost addr=127.0.0.1 terminal=ssh res=success'", + "outcome": "success", + "sequence": 4088825, + "type": [ + "info" + ] + }, + "process": { + "executable": "/usr/sbin/sshd", + "pid": 9033 + }, + "related": { + "user": [ + "alice", + "bob" + ] + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "effective": { + "id": "9999", + "name": "bob" + }, + "id": "1001", + "name": "alice" + } + } + ] +} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml b/packages/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..80f3ac001a3 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml @@ -0,0 +1,16 @@ +data_stream: + vars: + audit_rules: + - -a always,exit -F arch=b64 -S execve,execveat -k exec + - -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access + - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access + - -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access + - -w /etc/group -p wa -k identity + - -w /etc/passwd -p wa -k identity + - -w /etc/gshadow -p wa -k identity + - -w /etc/shadow -p wa -k identity + - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access + - -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access + - -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access + - -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access + preserve_original_event: true diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs new file mode 100644 index 00000000000..626b5973ece --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs @@ -0,0 +1,34 @@ +# EQL expression evaluated by Elastic Agent to limit input to Linux. +condition: ${host.platform} == 'linux' + +type: audit/auditd +include_raw_message: true +{{#if multicast}} +socket_type: multicast +{{else}} +socket_type: unicast +{{/if}} +resolve_ids: {{resolve_ids}} +failure_mode: {{failure_mode}} +audit_rules: | +{{#each audit_rules as |rule i|}} + {{rule}} +{{/each}} +backlog_limit: {{backlog_limit}} +rate_limit: {{rate_limit}} +include_warnings: {{include_warnings}} +backpressure_strategy: {{backpressure_strategy}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml b/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..1235e982bf2 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,242 @@ +--- +description: Pipeline for parsing Linux auditd logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: event.original + target_field: auditd.messages + ignore_missing: true + - join: + field: auditd.messages + separator: "\n" + target_field: event.original + if: ctx?.auditd?.messages != null && ctx.auditd.messages instanceof List + - rename: + field: error.message + target_field: auditd.warnings + ignore_missing: true + - join: + field: auditd.warnings + separator: "\n" + target_field: error.message + if: | + ctx?.auditd?.warnings != null && + ctx.auditd.warnings instanceof List && + ctx.auditd.warnings.size() > 0 + - script: + lang: painless + description: Standardize all field names. + source: | + void handleMap(Map map) { + for (def k : map.keySet().toArray(new def[map.size()])) { + if (map[k] instanceof Map) { + handleMap(map[k]); + } + + if (k.contains("-")) { + map[k.replace("-", "_")] = map[k]; + map.remove(k); + } + } + } + handleMap(ctx); + - rename: + field: source.path + target_field: source.address + ignore_missing: true + ignore_failure: true + - rename: + field: destination.path + target_field: destination.address + ignore_missing: true + ignore_failure: true + - rename: + field: user.audit + target_field: auditd.user.audit + ignore_missing: true + ignore_failure: true + - rename: + field: user.new_auid + target_field: auditd.user.new_auid + ignore_missing: true + ignore_failure: true + - rename: + field: user.old_auid + target_field: auditd.user.old_auid + ignore_missing: true + ignore_failure: true + - rename: + field: file.selinux + target_field: auditd.file.selinux + ignore_missing: true + ignore_failure: true + - rename: + field: user.selinux + target_field: auditd.user.selinux + ignore_missing: true + ignore_failure: true + - rename: + field: user.saved + target_field: auditd.user.saved + ignore_missing: true + ignore_failure: true + - rename: + field: user.filesystem + target_field: auditd.user.filesystem + ignore_missing: true + ignore_failure: true + - set: + field: event.outcome + value: failure + if: ctx?.event?.outcome == "fail" + - rename: + field: auditd.sequence + target_field: event.sequence + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.id + target_field: event.id + ignore_missing: true + ignore_failure: true + - convert: + field: auditd.data.removed + type: long + ignore_missing: true + - convert: + field: auditd.data.items + type: long + ignore_missing: true + - convert: + field: auditd.data.lport + type: long + ignore_missing: true + - convert: + field: auditd.data.rport + type: long + ignore_missing: true + - convert: + field: auditd.data.sport + type: long + ignore_missing: true + - convert: + field: auditd.data.dport + type: long + ignore_missing: true + - convert: + field: auditd.data.entries + type: long + ignore_missing: true + - convert: + field: auditd.data.argc + type: long + ignore_missing: true + - convert: + field: auditd.data.seqno + type: long + ignore_missing: true + - convert: + field: auditd.data.nargs + type: long + ignore_missing: true + - convert: + field: auditd.data.socket.port + type: long + ignore_missing: true + - convert: + field: auditd.data.old_vcpu + type: long + ignore_missing: true + - convert: + field: auditd.data.new_vcpu + type: long + ignore_missing: true + - convert: + field: auditd.data.changed + type: long + ignore_missing: true + - convert: + field: auditd.data.added + type: long + ignore_missing: true + - convert: + field: destination.port + type: long + ignore_missing: true + - convert: + field: source.port + type: long + ignore_missing: true + - convert: + field: auditd.data.spid + type: long + ignore_missing: true + - convert: + field: auditd.data.opid + type: long + ignore_missing: true + - convert: + field: auditd.data.nlnk_pid + type: long + ignore_missing: true + - convert: + field: auditd.data.vm_pid + type: long + ignore_missing: true + - convert: + field: auditd.data.audit_pid + type: long + ignore_missing: true + - convert: + field: auditd.data.exit + type: long + ignore_missing: true + - convert: + field: process.pid + type: long + ignore_missing: true + - convert: + field: process.exit_code + type: long + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: auditd.messages + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/auditd_manager/data_stream/auditd/fields/base-fields.yml b/packages/auditd_manager/data_stream/auditd/fields/base-fields.yml new file mode 100644 index 00000000000..aff492ff4c5 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: auditd +- name: event.dataset + type: constant_keyword + description: Event dataset + value: auditd_manager.auditd +- name: '@timestamp' + external: ecs +- name: tags + external: ecs diff --git a/packages/auditd_manager/data_stream/auditd/fields/ecs.yml b/packages/auditd_manager/data_stream/auditd/fields/ecs.yml new file mode 100644 index 00000000000..8ffce44d8a0 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/fields/ecs.yml @@ -0,0 +1,84 @@ +- name: ecs.version + external: ecs +- name: event.outcome + external: ecs +- name: process.pid + external: ecs +- name: process.executable + external: ecs +- name: process.exit_code + external: ecs +- name: process.name + external: ecs +- name: process.parent.pid + external: ecs +- name: process.title + external: ecs +- name: process.working_directory + external: ecs +- name: process.args + external: ecs +- name: related.user + external: ecs +- name: service.type + external: ecs +- name: event.id + external: ecs +- name: file.device + external: ecs +- name: file.gid + external: ecs +- name: file.group + external: ecs +- name: file.inode + external: ecs +- name: file.mode + external: ecs +- name: file.owner + external: ecs +- name: file.path + external: ecs +- name: file.uid + external: ecs +- name: source.ip + external: ecs +- name: source.address + external: ecs +- name: source.port + external: ecs +- name: destination.address + external: ecs +- name: destination.ip + external: ecs +- name: destination.port + external: ecs +- name: network.direction + external: ecs +- name: group.id + external: ecs +- name: group.name + external: ecs +- name: user.group.id + external: ecs +- name: user.group.name + external: ecs +- name: user.id + external: ecs +- name: user.name + external: ecs +- name: user.effective.id + external: ecs +- name: user.effective.name + external: ecs +- name: user.target.id + external: ecs +- name: user.target.name + external: ecs +- name: user.effective.group.id + external: ecs +- name: user.effective.group.name + external: ecs +- name: user.target.group.id + external: ecs +- name: user.target.group.name + external: ecs diff --git a/packages/auditd_manager/data_stream/auditd/fields/fields.yml b/packages/auditd_manager/data_stream/auditd/fields/fields.yml new file mode 100644 index 00000000000..5a81d930417 --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/fields/fields.yml @@ -0,0 +1,742 @@ +- name: auditd.user.audit.id + type: keyword +- name: auditd.user.audit.name + type: keyword +- name: auditd.user.new_auid.id + type: keyword +- name: auditd.user.new_auid.name + type: keyword +- name: auditd.user.old_auid.id + type: keyword +- name: auditd.user.old_auid.name + type: keyword +- name: auditd.user.filesystem.id + type: keyword +- name: auditd.user.filesystem.name + type: keyword +- name: auditd.user.filesystem.group.id + type: keyword +- name: auditd.user.filesystem.group.name + type: keyword +- name: auditd.user.saved.id + type: keyword +- name: auditd.user.saved.name + type: keyword +- name: auditd.user.saved.group.id + type: keyword +- name: auditd.user.saved.group.name + type: keyword +- name: auditd.user.selinux.user + description: Account submitted for authentication + type: keyword +- name: auditd.user.selinux.role + description: User's SELinux role + type: keyword +- name: auditd.user.selinux.domain + description: The actor's SELinux domain or type. + type: keyword +- name: auditd.user.selinux.level + description: The actor's SELinux level. + type: keyword +- name: auditd.user.selinux.category + description: The actor's SELinux category or compartments. + type: keyword +- name: auditd.file.selinux.user + description: Account submitted for authentication + type: keyword +- name: auditd.file.selinux.role + description: User's SELinux role + type: keyword +- name: auditd.file.selinux.domain + description: The actor's SELinux domain or type. + type: keyword +- name: auditd.file.selinux.level + description: The actor's SELinux level. + type: keyword +- name: auditd.paths + type: flattened +- name: auditd.result + description: The result of the audited operation (success/fail). + type: keyword +- name: auditd.data.reset + type: keyword +- name: auditd.message_type + description: The audit message type (e.g. syscall or apparmor_denied). + type: keyword +- name: auditd.session + description: The session ID assigned to a login. All events related to a login session will have the same value. + type: keyword +- name: auditd.messages + description: An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config. + type: keyword +- name: auditd.warnings + description: The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. + type: keyword +- name: auditd.summary.actor.primary + description: The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. + type: keyword +- name: auditd.summary.actor.secondary + description: The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su. + type: keyword +- name: auditd.summary.object.type + description: A description of the what the "thing" is (e.g. file, socket, user-session). + type: keyword +- name: auditd.summary.object.primary + type: keyword +- name: auditd.summary.object.secondary + type: keyword +- name: auditd.summary.how + description: This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. + type: keyword +- name: auditd.paths.inode + description: inode number + type: keyword +- name: auditd.paths.dev + description: Device name as found in /dev + type: keyword +- name: auditd.paths.obj_user + type: keyword +- name: auditd.paths.obj_role + type: keyword +- name: auditd.paths.obj_domain + type: keyword +- name: auditd.paths.obj_level + type: keyword +- name: auditd.paths.obj_type + type: keyword +- name: auditd.paths.ouid + description: File owner user ID + type: keyword +- name: auditd.paths.rdev + description: The device identifier (special files only) + type: keyword +- name: auditd.paths.nametype + description: Kind of file operation being referenced + type: keyword +- name: auditd.paths.ogid + description: File owner group ID + type: keyword +- name: auditd.paths.item + description: Which item is being recorded + type: keyword +- name: auditd.paths.mode + description: Mode flags on a file + type: keyword +- name: auditd.paths.name + desription: File name in avcs + type: keyword +- name: auditd.data.action + description: netfilter packet disposition + type: keyword +- name: auditd.data.minor + description: device minor number + type: keyword +- name: auditd.data.acct + description: a user's account name + type: keyword +- name: auditd.data.addr + description: the remote address that the user is connecting from + type: keyword +- name: auditd.data.cipher + description: name of crypto cipher selected + type: keyword +- name: auditd.data.id + description: during account changes + type: keyword +- name: auditd.data.entries + description: number of entries in the netfilter table + type: long +- name: auditd.data.kind + description: server or client in crypto operation + type: keyword +- name: auditd.data.ksize + description: key size for crypto operation + type: keyword +- name: auditd.data.spid + description: sent process ID + type: long +- name: auditd.data.arch + description: the elf architecture flags + type: keyword +- name: auditd.data.argc + description: the number of arguments to an execve syscall + type: long +- name: auditd.data.major + description: device major number + type: keyword +- name: auditd.data.unit + description: systemd unit + type: keyword +- name: auditd.data.table + description: netfilter table name + type: keyword +- name: auditd.data.terminal + description: terminal name the user is running programs on + type: keyword +- name: auditd.data.grantors + description: pam modules approving the action + type: keyword +- name: auditd.data.direction + description: direction of crypto operation + type: keyword +- name: auditd.data.op + description: the operation being performed that is audited + type: keyword +- name: auditd.data.tty + description: tty udevice the user is running programs on + type: keyword +- name: auditd.data.syscall + description: syscall number in effect when the event occurred + type: keyword +- name: auditd.data.data + description: TTY text + type: keyword +- name: auditd.data.family + description: netfilter protocol + type: keyword +- name: auditd.data.mac + description: crypto MAC algorithm selected + type: keyword +- name: auditd.data.pfs + description: perfect forward secrecy method + type: keyword +- name: auditd.data.items + description: the number of path records in the event + type: long +- name: auditd.data.hostname + description: the hostname that the user is connecting from + type: keyword +- name: auditd.data.lport + description: local network port + type: long +- name: auditd.data.rport + description: remote port number + type: long +- name: auditd.data.exit + description: syscall exit code + type: long +- name: auditd.data.fp + description: crypto key finger print + type: keyword +- name: auditd.data.laddr + description: local network address + type: keyword +- name: auditd.data.sport + description: local port number + type: long +- name: auditd.data.capability + description: posix capabilities + type: keyword +- name: auditd.data.nargs + description: the number of arguments to a socket call + type: long +- name: auditd.data.new_enabled + description: new TTY audit enabled setting + type: keyword +- name: auditd.data.audit_backlog_limit + description: audit system's backlog queue size + type: keyword +- name: auditd.data.dir + description: directory name + type: keyword +- name: auditd.data.cap_pe + description: process effective capability map + type: keyword +- name: auditd.data.model + description: security model being used for virt + type: keyword +- name: auditd.data.new_pp + description: new process permitted capability map + type: keyword +- name: auditd.data.old_enabled + description: present TTY audit enabled setting + type: keyword +- name: auditd.data.oauid + description: object's login user ID + type: keyword +- name: auditd.data.old + description: old value + type: keyword +- name: auditd.data.banners + description: banners used on printed page + type: keyword +- name: auditd.data.feature + description: kernel feature being changed + type: keyword +- name: auditd.data.vm_ctx + description: the vm's context string + type: keyword +- name: auditd.data.opid + description: object's process ID + type: long +- name: auditd.data.seperms + description: SELinux permissions being used + type: keyword +- name: auditd.data.seresult + description: SELinux AVC decision granted/denied + type: keyword +- name: auditd.data.new_rng + description: device name of rng being added from a vm + type: keyword +- name: auditd.data.old_net + description: present MAC address assigned to vm + type: keyword +- name: auditd.data.sigev_signo + description: signal number + type: keyword +- name: auditd.data.ino + description: inode number + type: keyword +- name: auditd.data.old_enforcing + description: old MAC enforcement status + type: keyword +- name: auditd.data.old_vcpu + description: present number of CPU cores + type: long +- name: auditd.data.range + description: user's SE Linux range + type: keyword +- name: auditd.data.res + description: result of the audited operation(success/fail) + type: keyword +- name: auditd.data.added + description: number of new files detected + type: long +- name: auditd.data.fam + description: socket address family + type: keyword +- name: auditd.data.nlnk_pid + description: pid of netlink packet sender + type: long +- name: auditd.data.subj + description: lspp subject's context string + type: keyword +- name: auditd.data.cgroup + description: path to cgroup in sysfs + type: keyword +- name: auditd.data.kernel + description: kernel's version number + type: keyword +- name: auditd.data.ocomm + description: object's command line name + type: keyword +- name: auditd.data.new_net + description: MAC address being assigned to vm + type: keyword +- name: auditd.data.permissive + description: SELinux is in permissive mode + type: keyword +- name: auditd.data.class + description: resource class assigned to vm + type: keyword +- name: auditd.data.compat + description: is_compat_task result + type: keyword +- name: auditd.data.fi + description: file assigned inherited capability map + type: keyword +- name: auditd.data.changed + description: number of changed files + type: long +- name: auditd.data.msg + description: the payload of the audit record + type: keyword +- name: auditd.data.dport + description: remote port number + type: long +- name: auditd.data.new_seuser + description: new SELinux user + type: keyword +- name: auditd.data.invalid_context + description: SELinux context + type: keyword +- name: auditd.data.dmac + description: remote MAC address + type: keyword +- name: auditd.data.ipx_net + description: IPX network number + type: keyword +- name: auditd.data.iuid + description: ipc object's user ID + type: keyword +- name: auditd.data.macproto + description: ethernet packet type ID field + type: keyword +- name: auditd.data.obj + description: lspp object context string + type: keyword +- name: auditd.data.ipid + description: IP datagram fragment identifier + type: keyword +- name: auditd.data.new_fs + description: file system being added to vm + type: keyword +- name: auditd.data.vm_pid + description: vm's process ID + type: long +- name: auditd.data.cap_pi + description: process inherited capability map + type: keyword +- name: auditd.data.old_auid + description: previous auid value + type: keyword +- name: auditd.data.oses + description: object's session ID + type: keyword +- name: auditd.data.fd + description: file descriptor number + type: keyword +- name: auditd.data.igid + description: ipc object's group ID + type: keyword +- name: auditd.data.new_disk + description: disk being added to vm + type: keyword +- name: auditd.data.parent + description: the inode number of the parent file + type: keyword +- name: auditd.data.len + description: length + type: keyword +- name: auditd.data.oflag + description: open syscall flags + type: keyword +- name: auditd.data.uuid + description: a UUID + type: keyword +- name: auditd.data.code + description: seccomp action code + type: keyword +- name: auditd.data.nlnk_grp + description: netlink group number + type: keyword +- name: auditd.data.cap_fp + description: file permitted capability map + type: keyword +- name: auditd.data.new_mem + description: new amount of memory in KB + type: keyword +- name: auditd.data.seperm + description: SELinux permission being decided on + type: keyword +- name: auditd.data.enforcing + description: new MAC enforcement status + type: keyword +- name: auditd.data.new_chardev + description: new character device being assigned to vm + type: keyword +- name: auditd.data.old_rng + description: device name of rng being removed from a vm + type: keyword +- name: auditd.data.outif + description: out interface number + type: keyword +- name: auditd.data.cmd + description: command being executed + type: keyword +- name: auditd.data.hook + description: netfilter hook that packet came from + type: keyword +- name: auditd.data.new_level + description: new run level + type: keyword +- name: auditd.data.sauid + description: sent login user ID + type: keyword +- name: auditd.data.sig + description: signal number + type: keyword +- name: auditd.data.audit_backlog_wait_time + description: audit system's backlog wait time + type: keyword +- name: auditd.data.printer + description: printer name + type: keyword +- name: auditd.data.old_mem + description: present amount of memory in KB + type: keyword +- name: auditd.data.perm + description: the file permission being used + type: keyword +- name: auditd.data.old_pi + description: old process inherited capability map + type: keyword +- name: auditd.data.state + description: audit daemon configuration resulting state + type: keyword +- name: auditd.data.format + description: audit log's format + type: keyword +- name: auditd.data.new_gid + description: new group ID being assigned + type: keyword +- name: auditd.data.tcontext + description: the target's or object's context string + type: keyword +- name: auditd.data.maj + description: device major number + type: keyword +- name: auditd.data.watch + description: file name in a watch record + type: keyword +- name: auditd.data.device + description: device name + type: keyword +- name: auditd.data.grp + description: group name + type: keyword +- name: auditd.data.bool + description: name of SELinux boolean + type: keyword +- name: auditd.data.icmp_type + description: type of icmp message + type: keyword +- name: auditd.data.new_lock + description: new value of feature lock + type: keyword +- name: auditd.data.old_prom + description: network promiscuity flag + type: keyword +- name: auditd.data.acl + description: access mode of resource assigned to vm + type: keyword +- name: auditd.data.ip + description: network address of a printer + type: ip +- name: auditd.data.new_pi + description: new process inherited capability map + type: keyword +- name: auditd.data.default_context + description: default MAC context + type: keyword +- name: auditd.data.inode_gid + description: group ID of the inode's owner + type: keyword +- name: auditd.data.new_log_passwd + description: new value for TTY password logging + type: keyword +- name: auditd.data.new_pe + description: new process effective capability map + type: keyword +- name: auditd.data.selected_context + description: new MAC context assigned to session + type: keyword +- name: auditd.data.cap_fver + description: file system capabilities version number + type: keyword +- name: auditd.data.file + description: file name + type: keyword +- name: auditd.data.net + description: network MAC address + type: keyword +- name: auditd.data.virt + description: kind of virtualization being referenced + type: keyword +- name: auditd.data.cap_pp + description: process permitted capability map + type: keyword +- name: auditd.data.old_range + description: present SELinux range + type: keyword +- name: auditd.data.resrc + description: resource being assigned + type: keyword +- name: auditd.data.new_range + description: new SELinux range + type: keyword +- name: auditd.data.obj_gid + description: group ID of object + type: keyword +- name: auditd.data.proto + description: network protocol + type: keyword +- name: auditd.data.old_disk + description: disk being removed from vm + type: keyword +- name: auditd.data.audit_failure + description: audit system's failure mode + type: keyword +- name: auditd.data.inif + description: in interface number + type: keyword +- name: auditd.data.vm + description: virtual machine name + type: keyword +- name: auditd.data.flags + description: mmap syscall flags + type: keyword +- name: auditd.data.nlnk_fam + description: netlink protocol number + type: keyword +- name: auditd.data.old_fs + description: file system being removed from vm + type: keyword +- name: auditd.data.old_ses + description: previous ses value + type: keyword +- name: auditd.data.new_ses + description: ses value + type: keyword +- name: auditd.data.seqno + description: sequence number + type: long +- name: auditd.data.fver + description: file system capabilities version number + type: keyword +- name: auditd.data.qbytes + description: ipc objects quantity of bytes + type: keyword +- name: auditd.data.seuser + description: user's SE Linux user acct + type: keyword +- name: auditd.data.cap_fe + description: file assigned effective capability map + type: keyword +- name: auditd.data.new_vcpu + description: new number of CPU cores + type: long +- name: auditd.data.old_level + description: old run level + type: keyword +- name: auditd.data.old_pp + description: old process permitted capability map + type: keyword +- name: auditd.data.daddr + description: remote IP address + type: ip +- name: auditd.data.old_role + description: present SELinux role + type: keyword +- name: auditd.data.ioctlcmd + description: The request argument to the ioctl syscall + type: keyword +- name: auditd.data.smac + description: local MAC address + type: keyword +- name: auditd.data.apparmor + description: apparmor event information + type: keyword +- name: auditd.data.fe + description: file assigned effective capability map + type: keyword +- name: auditd.data.perm_mask + description: file permission mask that triggered a watch event + type: keyword +- name: auditd.data.a0-N + description: the arguments to a syscall + type: keyword +- name: auditd.data.ses + description: login session ID + type: keyword +- name: auditd.data.cap_fi + description: file inherited capability map + type: keyword +- name: auditd.data.obj_uid + description: user ID of object + type: keyword +- name: auditd.data.reason + description: text string denoting a reason for the action + type: keyword +- name: auditd.data.list + description: the audit system's filter list number + type: keyword +- name: auditd.data.old_lock + description: present value of feature lock + type: keyword +- name: auditd.data.bus + description: name of subsystem bus a vm resource belongs to + type: keyword +- name: auditd.data.old_pe + description: old process effective capability map + type: keyword +- name: auditd.data.new_role + description: new SELinux role + type: keyword +- name: auditd.data.prom + description: network promiscuity flag + type: keyword +- name: auditd.data.uri + description: URI pointing to a printer + type: keyword +- name: auditd.data.audit_enabled + description: audit systems's enable/disable status + type: keyword +- name: auditd.data.old_log_passwd + description: present value for TTY password logging + type: keyword +- name: auditd.data.old_seuser + description: present SELinux user + type: keyword +- name: auditd.data.per + description: linux personality + type: keyword +- name: auditd.data.scontext + description: the subject's context string + type: keyword +- name: auditd.data.tclass + description: target's object classification + type: keyword +- name: auditd.data.ver + description: audit daemon's version number + type: keyword +- name: auditd.data.new + description: value being set in feature + type: keyword +- name: auditd.data.val + description: generic value associated with the operation + type: keyword +- name: auditd.data.img_ctx + description: the vm's disk image context string + type: keyword +- name: auditd.data.old_chardev + description: present character device assigned to vm + type: keyword +- name: auditd.data.old_val + description: current value of SELinux boolean + type: keyword +- name: auditd.data.success + description: whether the syscall was successful or not + type: keyword +- name: auditd.data.inode_uid + description: user ID of the inode's owner + type: keyword +- name: auditd.data.removed + description: number of deleted files + type: long +- name: auditd.data.socket.port + description: The port number. + type: long +- name: auditd.data.socket.saddr + description: The raw socket address structure. + type: keyword +- name: auditd.data.socket.addr + description: The remote address. + type: keyword +- name: auditd.data.socket.family + description: The socket family (unix, ipv4, ipv6, netlink). + type: keyword +- name: auditd.data.socket.path + description: This is the path associated with a unix socket. + type: keyword +- name: auditd.data.audit_pid + type: long +- name: auditd.data.auid + type: keyword +- name: auditd.data.frootid + type: keyword +- name: auditd.data.old_pa + type: keyword +- name: auditd.data.pa + type: keyword +- name: auditd.data.pe + type: keyword +- name: auditd.data.pi + type: keyword +- name: auditd.data.pp + type: keyword +- name: auditd.data.result + type: keyword +- name: auditd.data + description: Auditd related data + type: flattened diff --git a/packages/auditd_manager/data_stream/auditd/manifest.yml b/packages/auditd_manager/data_stream/auditd/manifest.yml new file mode 100644 index 00000000000..1fea712b20d --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/manifest.yml @@ -0,0 +1,149 @@ +title: "Auditd Manager" +type: logs +streams: + - input: audit/auditd + title: Auditd events + template_path: auditd.yml.hbs + description: Collect auditd events + vars: + - name: multicast + type: bool + title: Multicast socket type + show_user: true + multi: false + default: false + description: | + This setting controls if the socket type used to receive events is multicast. + This setting should be disabled when `elastic-agent` is the primary userspace + daemon for receiving audit events and managing the rules. Only a single process + can receive audit events if this is disabled, so any other daemons should be + stopped (e.g. stop `auditd`). + + This setting can be enabled with kernel versions 3.16 and newer. By setting it + `elastic-agent` will receive an audit event broadcast that is not exclusive + to a single process. This is ideal for situations where `auditd` is running and + managing the rules. + + If it is set to `true`, but the kernel version is less than 3.16 it will be + automatically disabled. + - name: resolve_ids + type: bool + title: Resolve IDs + show_user: true + multi: false + default: true + description: Enables the resolution of UIDs and GIDs to their associated names. + - name: failure_mode + type: text + title: Failure mode + required: true + multi: false + show_user: false + default: silent + description: | + This determines the kernel's behavior on critical + failures such as errors sending events to `elastic-agent`, the backlog limit was + exceeded, the kernel ran out of memory, or the rate limit was exceeded. The + options are `silent`, `log`, or `panic`. `silent` makes the kernel + ignore the errors, `log` makes the kernel write the audit messages using + `printk` so they show up in system's syslog, and `panic` causes the kernel to + panic to prevent use of the machine. + - name: audit_rules + type: text + title: Audit rules + required: true + multi: true + show_user: true + description: | + List of the audit rules that should be + installed to the kernel. There should be one rule per line. Comments can be + embedded in the string using `#` as a prefix. The format for rules is the same + used by the Linux `auditctl` utility. `elastic-agent` supports adding file watches + (`-w`) and syscall rules (`-a` or `-A`). For more information, + see the integration detail page. + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + default: false + multi: false + - name: backlog_limit + type: text + title: Backlog limit + required: true + show_user: false + default: 8192 + description: This controls the maximum number of audit messages that will be buffered by the kernel. + multi: false + - name: rate_limit + type: text + title: Rate limit + required: true + show_user: false + default: 0 + multi: false + description: | + This sets a rate limit on the number of messages/sec + delivered by the kernel. The default is `0`, which disables rate limiting. + Changing this value to anything other than zero can cause messages to be lost. + The preferred approach to reduce the messaging rate is be more selective in the + audit ruleset. + - name: include_warnings + required: true + show_user: false + multi: false + title: Include warnings + description: | + Causes to include as warnings any issues that were encountered while parsing the raw + messages. The messages are written to the `error.message` field. + When this setting is enabled the raw messages will be included + in the event regardless of the `Preserve original event` config setting. This + setting is primarily used for debugging purposes. + type: bool + default: false + - name: backpressure_strategy + type: text + title: Backpressure strategy + required: true + show_user: false + multi: false + default: auto + description: | + Specifies the strategy that used to + prevent backpressure from propagating to the kernel and impacting audited + processes. + + The possible values are: + + * `auto`: uses the `kernel` strategy, if supported, or + falls back to the `userspace` strategy. + * `kernel`: sets the `backlog_wait_time` in the kernel's + audit framework to 0. This causes events to be discarded in the kernel if + the audit backlog queue fills to capacity. Requires a 3.14 kernel or + newer. + * `userspace`: drops events when there is backpressure + from the publishing pipeline. If no `Rate limit` is set, sets a rate + limit of `5000`. Users should test their setup and adjust the `Rate limit` + option accordingly. + * `both`: uses the `kernel` and `userspace` strategies at the same + time. + * `none`: No backpressure mitigation measures are enabled. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - auditd_manager-auditd + - name: processors + type: yaml + title: Processors + required: false + show_user: false + multi: false + description: | + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/auditd_manager/data_stream/auditd/sample_event.json b/packages/auditd_manager/data_stream/auditd/sample_event.json new file mode 100644 index 00000000000..e999a53bf9c --- /dev/null +++ b/packages/auditd_manager/data_stream/auditd/sample_event.json @@ -0,0 +1,133 @@ +{ + "@timestamp": "2022-05-12T13:10:13.230Z", + "agent": { + "ephemeral_id": "cfe4170e-f9b4-435f-b19c-a0e75b573b3a", + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "name": "custom-agent", + "type": "auditbeat", + "version": "8.2.0" + }, + "auditd": { + "data": { + "a0": "a", + "a1": "c00024e8c0", + "a2": "38", + "a3": "0", + "arch": "x86_64", + "audit_pid": "22501", + "auid": "unset", + "exit": "56", + "old": "0", + "op": "set", + "result": "success", + "ses": "unset", + "socket": { + "family": "netlink", + "saddr": "100000000000000000000000" + }, + "syscall": "sendto", + "tty": "(none)" + }, + "message_type": "config_change", + "messages": [ + "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1", + "type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)", + "type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000", + "type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C" + ], + "result": "success", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "how": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "object": { + "primary": "set", + "type": "audit-config" + } + }, + "user": { + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } + } + }, + "data_stream": { + "dataset": "auditd_manager.auditd", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "changed-audit-configuration", + "agent_id_status": "verified", + "category": [ + "process", + "configuration", + "network" + ], + "dataset": "auditd_manager.auditd", + "ingested": "2022-05-12T13:10:16Z", + "kind": "event", + "module": "auditd", + "original": "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C", + "outcome": "success", + "sequence": 94471, + "type": [ + "change", + "connection", + "info" + ] + }, + "host": { + "name": "custom-agent" + }, + "network": { + "direction": "egress" + }, + "process": { + "executable": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "name": "auditbeat", + "parent": { + "pid": 9509 + }, + "pid": 22501, + "title": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event", + "auditd_manager-auditd" + ], + "user": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } +} \ No newline at end of file diff --git a/packages/auditd_manager/docs/README.md b/packages/auditd_manager/docs/README.md new file mode 100644 index 00000000000..918d3f96a2a --- /dev/null +++ b/packages/auditd_manager/docs/README.md @@ -0,0 +1,567 @@ +# Auditd Manager Integration + +The Auditd Manager Integration receives audit events from the Linux Audit Framework that +is a part of the Linux kernel. + +This integration is available only for Linux. + +## How it works + +This integration establishes a subscription to the kernel to receive the events +as they occur. + +The Linux Audit Framework can send multiple messages for a single auditable +event. For example, a `rename` syscall causes the kernel to send eight separate +messages. Each message describes a different aspect of the activity that is +occurring (the syscall itself, file paths, current working directory, process +title). This integration will combine all of the data from each of the messages +into a single event. + +Messages for one event can be interleaved with messages from another event. This +module will buffer the messages in order to combine related messages into a +single event even if they arrive interleaved or out of order. + +## Useful commands + +When running this integration, you might find that other monitoring tools interfere with it. + +For example, you might encounter errors if another process, such as `auditd`, is +registered to receive data from the Linux Audit Framework. You can use these +commands to see if the `auditd` service is running and stop it: + +* See if `auditd` is running: + +```shell +service auditd status +``` + +* Stop the `auditd` service: + +```shell +service auditd stop +``` + +* Disable `auditd` from starting on boot: + +```shell +chkconfig auditd off +``` + +To save CPU usage and disk space, you can use this command to stop `journald` +from listening to audit messages: + +```shell +systemctl mask systemd-journald-audit.socket +``` + +## Audit rules + +The audit rules are where you configure the activities that are audited. These +rules are configured as either syscalls or files that should be monitored. For +example you can track all `connect` syscalls or file system writes to +`/etc/passwd`. + +Auditing a large number of syscalls can place a heavy load on the system so +consider carefully the rules you define and try to apply filters in the rules +themselves to be as selective as possible. + +The kernel evaluates the rules in the order in which they were defined so place +the most active rules first in order to speed up evaluation. + +You can assign keys to each rule for better identification of the rule that +triggered an event and easier filtering later in Elasticsearch. + +Defining any audit rules in the config causes `elastic-agent` to purge all +existing audit rules prior to adding the rules specified in the config. +Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule. + +Examples: + +```sh +## If you are on a 64 bit platform, everything should be running +## in 64 bit mode. This rule will detect any use of the 32 bit syscalls +## because this might be a sign of someone exploiting a hole in the 32 +## bit API. +-a always,exit -F arch=b32 -S all -F key=32bit-abi + +## Executions. +-a always,exit -F arch=b64 -S execve,execveat -k exec + +## External access (warning: these can be expensive to audit). +-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access + +## Unauthorized access attempts. +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access +-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access + +# Things that affect identity. +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity + +# Unauthorized access attempts to files (unsuccessful). +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access +``` + +An example event for `auditd` looks as following: + +```json +{ + "@timestamp": "2022-05-12T13:10:13.230Z", + "agent": { + "ephemeral_id": "cfe4170e-f9b4-435f-b19c-a0e75b573b3a", + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "name": "custom-agent", + "type": "auditbeat", + "version": "8.2.0" + }, + "auditd": { + "data": { + "a0": "a", + "a1": "c00024e8c0", + "a2": "38", + "a3": "0", + "arch": "x86_64", + "audit_pid": "22501", + "auid": "unset", + "exit": "56", + "old": "0", + "op": "set", + "result": "success", + "ses": "unset", + "socket": { + "family": "netlink", + "saddr": "100000000000000000000000" + }, + "syscall": "sendto", + "tty": "(none)" + }, + "message_type": "config_change", + "messages": [ + "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1", + "type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)", + "type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000", + "type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C" + ], + "result": "success", + "summary": { + "actor": { + "primary": "unset", + "secondary": "root" + }, + "how": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "object": { + "primary": "set", + "type": "audit-config" + } + }, + "user": { + "filesystem": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + }, + "saved": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } + } + }, + "data_stream": { + "dataset": "auditd_manager.auditd", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "753ce520-4f32-45b1-9212-c4dcc9d575a1", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "changed-audit-configuration", + "agent_id_status": "verified", + "category": [ + "process", + "configuration", + "network" + ], + "dataset": "auditd_manager.auditd", + "ingested": "2022-05-12T13:10:16Z", + "kind": "event", + "module": "auditd", + "original": "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C", + "outcome": "success", + "sequence": 94471, + "type": [ + "change", + "connection", + "info" + ] + }, + "host": { + "name": "custom-agent" + }, + "network": { + "direction": "egress" + }, + "process": { + "executable": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat", + "name": "auditbeat", + "parent": { + "pid": 9509 + }, + "pid": 22501, + "title": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml" + }, + "service": { + "type": "auditd" + }, + "tags": [ + "preserve_original_event", + "auditd_manager-auditd" + ], + "user": { + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| auditd.data | Auditd related data | flattened | +| auditd.data.a0-N | the arguments to a syscall | keyword | +| auditd.data.acct | a user's account name | keyword | +| auditd.data.acl | access mode of resource assigned to vm | keyword | +| auditd.data.action | netfilter packet disposition | keyword | +| auditd.data.added | number of new files detected | long | +| auditd.data.addr | the remote address that the user is connecting from | keyword | +| auditd.data.apparmor | apparmor event information | keyword | +| auditd.data.arch | the elf architecture flags | keyword | +| auditd.data.argc | the number of arguments to an execve syscall | long | +| auditd.data.audit_backlog_limit | audit system's backlog queue size | keyword | +| auditd.data.audit_backlog_wait_time | audit system's backlog wait time | keyword | +| auditd.data.audit_enabled | audit systems's enable/disable status | keyword | +| auditd.data.audit_failure | audit system's failure mode | keyword | +| auditd.data.audit_pid | | long | +| auditd.data.auid | | keyword | +| auditd.data.banners | banners used on printed page | keyword | +| auditd.data.bool | name of SELinux boolean | keyword | +| auditd.data.bus | name of subsystem bus a vm resource belongs to | keyword | +| auditd.data.cap_fe | file assigned effective capability map | keyword | +| auditd.data.cap_fi | file inherited capability map | keyword | +| auditd.data.cap_fp | file permitted capability map | keyword | +| auditd.data.cap_fver | file system capabilities version number | keyword | +| auditd.data.cap_pe | process effective capability map | keyword | +| auditd.data.cap_pi | process inherited capability map | keyword | +| auditd.data.cap_pp | process permitted capability map | keyword | +| auditd.data.capability | posix capabilities | keyword | +| auditd.data.cgroup | path to cgroup in sysfs | keyword | +| auditd.data.changed | number of changed files | long | +| auditd.data.cipher | name of crypto cipher selected | keyword | +| auditd.data.class | resource class assigned to vm | keyword | +| auditd.data.cmd | command being executed | keyword | +| auditd.data.code | seccomp action code | keyword | +| auditd.data.compat | is_compat_task result | keyword | +| auditd.data.daddr | remote IP address | ip | +| auditd.data.data | TTY text | keyword | +| auditd.data.default_context | default MAC context | keyword | +| auditd.data.device | device name | keyword | +| auditd.data.dir | directory name | keyword | +| auditd.data.direction | direction of crypto operation | keyword | +| auditd.data.dmac | remote MAC address | keyword | +| auditd.data.dport | remote port number | long | +| auditd.data.enforcing | new MAC enforcement status | keyword | +| auditd.data.entries | number of entries in the netfilter table | long | +| auditd.data.exit | syscall exit code | long | +| auditd.data.fam | socket address family | keyword | +| auditd.data.family | netfilter protocol | keyword | +| auditd.data.fd | file descriptor number | keyword | +| auditd.data.fe | file assigned effective capability map | keyword | +| auditd.data.feature | kernel feature being changed | keyword | +| auditd.data.fi | file assigned inherited capability map | keyword | +| auditd.data.file | file name | keyword | +| auditd.data.flags | mmap syscall flags | keyword | +| auditd.data.format | audit log's format | keyword | +| auditd.data.fp | crypto key finger print | keyword | +| auditd.data.frootid | | keyword | +| auditd.data.fver | file system capabilities version number | keyword | +| auditd.data.grantors | pam modules approving the action | keyword | +| auditd.data.grp | group name | keyword | +| auditd.data.hook | netfilter hook that packet came from | keyword | +| auditd.data.hostname | the hostname that the user is connecting from | keyword | +| auditd.data.icmp_type | type of icmp message | keyword | +| auditd.data.id | during account changes | keyword | +| auditd.data.igid | ipc object's group ID | keyword | +| auditd.data.img_ctx | the vm's disk image context string | keyword | +| auditd.data.inif | in interface number | keyword | +| auditd.data.ino | inode number | keyword | +| auditd.data.inode_gid | group ID of the inode's owner | keyword | +| auditd.data.inode_uid | user ID of the inode's owner | keyword | +| auditd.data.invalid_context | SELinux context | keyword | +| auditd.data.ioctlcmd | The request argument to the ioctl syscall | keyword | +| auditd.data.ip | network address of a printer | ip | +| auditd.data.ipid | IP datagram fragment identifier | keyword | +| auditd.data.ipx_net | IPX network number | keyword | +| auditd.data.items | the number of path records in the event | long | +| auditd.data.iuid | ipc object's user ID | keyword | +| auditd.data.kernel | kernel's version number | keyword | +| auditd.data.kind | server or client in crypto operation | keyword | +| auditd.data.ksize | key size for crypto operation | keyword | +| auditd.data.laddr | local network address | keyword | +| auditd.data.len | length | keyword | +| auditd.data.list | the audit system's filter list number | keyword | +| auditd.data.lport | local network port | long | +| auditd.data.mac | crypto MAC algorithm selected | keyword | +| auditd.data.macproto | ethernet packet type ID field | keyword | +| auditd.data.maj | device major number | keyword | +| auditd.data.major | device major number | keyword | +| auditd.data.minor | device minor number | keyword | +| auditd.data.model | security model being used for virt | keyword | +| auditd.data.msg | the payload of the audit record | keyword | +| auditd.data.nargs | the number of arguments to a socket call | long | +| auditd.data.net | network MAC address | keyword | +| auditd.data.new | value being set in feature | keyword | +| auditd.data.new_chardev | new character device being assigned to vm | keyword | +| auditd.data.new_disk | disk being added to vm | keyword | +| auditd.data.new_enabled | new TTY audit enabled setting | keyword | +| auditd.data.new_fs | file system being added to vm | keyword | +| auditd.data.new_gid | new group ID being assigned | keyword | +| auditd.data.new_level | new run level | keyword | +| auditd.data.new_lock | new value of feature lock | keyword | +| auditd.data.new_log_passwd | new value for TTY password logging | keyword | +| auditd.data.new_mem | new amount of memory in KB | keyword | +| auditd.data.new_net | MAC address being assigned to vm | keyword | +| auditd.data.new_pe | new process effective capability map | keyword | +| auditd.data.new_pi | new process inherited capability map | keyword | +| auditd.data.new_pp | new process permitted capability map | keyword | +| auditd.data.new_range | new SELinux range | keyword | +| auditd.data.new_rng | device name of rng being added from a vm | keyword | +| auditd.data.new_role | new SELinux role | keyword | +| auditd.data.new_ses | ses value | keyword | +| auditd.data.new_seuser | new SELinux user | keyword | +| auditd.data.new_vcpu | new number of CPU cores | long | +| auditd.data.nlnk_fam | netlink protocol number | keyword | +| auditd.data.nlnk_grp | netlink group number | keyword | +| auditd.data.nlnk_pid | pid of netlink packet sender | long | +| auditd.data.oauid | object's login user ID | keyword | +| auditd.data.obj | lspp object context string | keyword | +| auditd.data.obj_gid | group ID of object | keyword | +| auditd.data.obj_uid | user ID of object | keyword | +| auditd.data.ocomm | object's command line name | keyword | +| auditd.data.oflag | open syscall flags | keyword | +| auditd.data.old | old value | keyword | +| auditd.data.old_auid | previous auid value | keyword | +| auditd.data.old_chardev | present character device assigned to vm | keyword | +| auditd.data.old_disk | disk being removed from vm | keyword | +| auditd.data.old_enabled | present TTY audit enabled setting | keyword | +| auditd.data.old_enforcing | old MAC enforcement status | keyword | +| auditd.data.old_fs | file system being removed from vm | keyword | +| auditd.data.old_level | old run level | keyword | +| auditd.data.old_lock | present value of feature lock | keyword | +| auditd.data.old_log_passwd | present value for TTY password logging | keyword | +| auditd.data.old_mem | present amount of memory in KB | keyword | +| auditd.data.old_net | present MAC address assigned to vm | keyword | +| auditd.data.old_pa | | keyword | +| auditd.data.old_pe | old process effective capability map | keyword | +| auditd.data.old_pi | old process inherited capability map | keyword | +| auditd.data.old_pp | old process permitted capability map | keyword | +| auditd.data.old_prom | network promiscuity flag | keyword | +| auditd.data.old_range | present SELinux range | keyword | +| auditd.data.old_rng | device name of rng being removed from a vm | keyword | +| auditd.data.old_role | present SELinux role | keyword | +| auditd.data.old_ses | previous ses value | keyword | +| auditd.data.old_seuser | present SELinux user | keyword | +| auditd.data.old_val | current value of SELinux boolean | keyword | +| auditd.data.old_vcpu | present number of CPU cores | long | +| auditd.data.op | the operation being performed that is audited | keyword | +| auditd.data.opid | object's process ID | long | +| auditd.data.oses | object's session ID | keyword | +| auditd.data.outif | out interface number | keyword | +| auditd.data.pa | | keyword | +| auditd.data.parent | the inode number of the parent file | keyword | +| auditd.data.pe | | keyword | +| auditd.data.per | linux personality | keyword | +| auditd.data.perm | the file permission being used | keyword | +| auditd.data.perm_mask | file permission mask that triggered a watch event | keyword | +| auditd.data.permissive | SELinux is in permissive mode | keyword | +| auditd.data.pfs | perfect forward secrecy method | keyword | +| auditd.data.pi | | keyword | +| auditd.data.pp | | keyword | +| auditd.data.printer | printer name | keyword | +| auditd.data.prom | network promiscuity flag | keyword | +| auditd.data.proto | network protocol | keyword | +| auditd.data.qbytes | ipc objects quantity of bytes | keyword | +| auditd.data.range | user's SE Linux range | keyword | +| auditd.data.reason | text string denoting a reason for the action | keyword | +| auditd.data.removed | number of deleted files | long | +| auditd.data.res | result of the audited operation(success/fail) | keyword | +| auditd.data.reset | | keyword | +| auditd.data.resrc | resource being assigned | keyword | +| auditd.data.result | | keyword | +| auditd.data.rport | remote port number | long | +| auditd.data.sauid | sent login user ID | keyword | +| auditd.data.scontext | the subject's context string | keyword | +| auditd.data.selected_context | new MAC context assigned to session | keyword | +| auditd.data.seperm | SELinux permission being decided on | keyword | +| auditd.data.seperms | SELinux permissions being used | keyword | +| auditd.data.seqno | sequence number | long | +| auditd.data.seresult | SELinux AVC decision granted/denied | keyword | +| auditd.data.ses | login session ID | keyword | +| auditd.data.seuser | user's SE Linux user acct | keyword | +| auditd.data.sig | signal number | keyword | +| auditd.data.sigev_signo | signal number | keyword | +| auditd.data.smac | local MAC address | keyword | +| auditd.data.socket.addr | The remote address. | keyword | +| auditd.data.socket.family | The socket family (unix, ipv4, ipv6, netlink). | keyword | +| auditd.data.socket.path | This is the path associated with a unix socket. | keyword | +| auditd.data.socket.port | The port number. | long | +| auditd.data.socket.saddr | The raw socket address structure. | keyword | +| auditd.data.spid | sent process ID | long | +| auditd.data.sport | local port number | long | +| auditd.data.state | audit daemon configuration resulting state | keyword | +| auditd.data.subj | lspp subject's context string | keyword | +| auditd.data.success | whether the syscall was successful or not | keyword | +| auditd.data.syscall | syscall number in effect when the event occurred | keyword | +| auditd.data.table | netfilter table name | keyword | +| auditd.data.tclass | target's object classification | keyword | +| auditd.data.tcontext | the target's or object's context string | keyword | +| auditd.data.terminal | terminal name the user is running programs on | keyword | +| auditd.data.tty | tty udevice the user is running programs on | keyword | +| auditd.data.unit | systemd unit | keyword | +| auditd.data.uri | URI pointing to a printer | keyword | +| auditd.data.uuid | a UUID | keyword | +| auditd.data.val | generic value associated with the operation | keyword | +| auditd.data.ver | audit daemon's version number | keyword | +| auditd.data.virt | kind of virtualization being referenced | keyword | +| auditd.data.vm | virtual machine name | keyword | +| auditd.data.vm_ctx | the vm's context string | keyword | +| auditd.data.vm_pid | vm's process ID | long | +| auditd.data.watch | file name in a watch record | keyword | +| auditd.file.selinux.domain | The actor's SELinux domain or type. | keyword | +| auditd.file.selinux.level | The actor's SELinux level. | keyword | +| auditd.file.selinux.role | User's SELinux role | keyword | +| auditd.file.selinux.user | Account submitted for authentication | keyword | +| auditd.message_type | The audit message type (e.g. syscall or apparmor_denied). | keyword | +| auditd.messages | An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config. | keyword | +| auditd.paths | | flattened | +| auditd.paths.dev | Device name as found in /dev | keyword | +| auditd.paths.inode | inode number | keyword | +| auditd.paths.item | Which item is being recorded | keyword | +| auditd.paths.mode | Mode flags on a file | keyword | +| auditd.paths.name | | keyword | +| auditd.paths.nametype | Kind of file operation being referenced | keyword | +| auditd.paths.obj_domain | | keyword | +| auditd.paths.obj_level | | keyword | +| auditd.paths.obj_role | | keyword | +| auditd.paths.obj_type | | keyword | +| auditd.paths.obj_user | | keyword | +| auditd.paths.ogid | File owner group ID | keyword | +| auditd.paths.ouid | File owner user ID | keyword | +| auditd.paths.rdev | The device identifier (special files only) | keyword | +| auditd.result | The result of the audited operation (success/fail). | keyword | +| auditd.session | The session ID assigned to a login. All events related to a login session will have the same value. | keyword | +| auditd.summary.actor.primary | The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. | keyword | +| auditd.summary.actor.secondary | The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su. | keyword | +| auditd.summary.how | This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. | keyword | +| auditd.summary.object.primary | | keyword | +| auditd.summary.object.secondary | | keyword | +| auditd.summary.object.type | A description of the what the "thing" is (e.g. file, socket, user-session). | keyword | +| auditd.user.audit.id | | keyword | +| auditd.user.audit.name | | keyword | +| auditd.user.filesystem.group.id | | keyword | +| auditd.user.filesystem.group.name | | keyword | +| auditd.user.filesystem.id | | keyword | +| auditd.user.filesystem.name | | keyword | +| auditd.user.new_auid.id | | keyword | +| auditd.user.new_auid.name | | keyword | +| auditd.user.old_auid.id | | keyword | +| auditd.user.old_auid.name | | keyword | +| auditd.user.saved.group.id | | keyword | +| auditd.user.saved.group.name | | keyword | +| auditd.user.saved.id | | keyword | +| auditd.user.saved.name | | keyword | +| auditd.user.selinux.category | The actor's SELinux category or compartments. | keyword | +| auditd.user.selinux.domain | The actor's SELinux domain or type. | keyword | +| auditd.user.selinux.level | The actor's SELinux level. | keyword | +| auditd.user.selinux.role | User's SELinux role | keyword | +| auditd.user.selinux.user | Account submitted for authentication | keyword | +| auditd.warnings | The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| file.device | Device that is the source of the file. | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + diff --git a/packages/auditd_manager/img/executions.png b/packages/auditd_manager/img/executions.png new file mode 100644 index 00000000000..0d490acd6c6 Binary files /dev/null and b/packages/auditd_manager/img/executions.png differ diff --git a/packages/auditd_manager/img/linux.svg b/packages/auditd_manager/img/linux.svg new file mode 100644 index 00000000000..c0a92e0c0f4 --- /dev/null +++ b/packages/auditd_manager/img/linux.svg @@ -0,0 +1,1532 @@ + + + + Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + Tux + 20 June 2012 + + + Garrett LeSage + + + + + + Larry Ewing, the creator of the original Tux graphic + + + + + tux + Linux + penguin + logo + + + + + Larry Ewing, Garrett LeSage + + + https://github.com/garrett/Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/auditd_manager/img/overview.png b/packages/auditd_manager/img/overview.png new file mode 100644 index 00000000000..dbc3e910314 Binary files /dev/null and b/packages/auditd_manager/img/overview.png differ diff --git a/packages/auditd_manager/img/sockets.png b/packages/auditd_manager/img/sockets.png new file mode 100644 index 00000000000..152107aa068 Binary files /dev/null and b/packages/auditd_manager/img/sockets.png differ diff --git a/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json new file mode 100644 index 00000000000..fa68cd21aaf --- /dev/null +++ b/packages/auditd_manager/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json @@ -0,0 +1,651 @@ +{ + "attributes": { + "description": "Summary of socket related syscall events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "data_stream.dataset:auditd_manager.auditd" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### [Overview](/app/dashboards#/view/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16) - **Sockets** - [Executions](/app/dashboards#/view/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "2b0bfe71-70d5-431c-a7ae-45b965ce1b16", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "2b0bfe71-70d5-431c-a7ae-45b965ce1b16", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": {} + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "95b603d0-c252-11e7-8a68-93ffe9ec5950" + } + ], + "bar_color_rules": [ + { + "id": "2cebb0c0-c252-11e7-8a68-93ffe9ec5950" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "auditd.summary.object.type:socket" + }, + "gauge_color_rules": [ + { + "id": "6c891740-c252-11e7-8a68-93ffe9ec5950" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "logs-*", + "interval": "auto", + "legend_position": "left", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "syscall", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "auditd.data.syscall" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "type": "metrics", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "a9f3b71d-3b8f-44c0-b581-ba208c117e05", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "a9f3b71d-3b8f-44c0-b581-ba208c117e05", + "title": "[Auditd Manager] Socket Syscalls Time Series", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Socket Family", + "field": "auditd.data.socket.family", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Syscall", + "field": "auditd.data.syscall", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "addTooltip": true, + "distinctColors": true, + "emptySizeRatio": 0.3, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendDisplay": "show", + "legendPosition": "left", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": {} + } + }, + "gridData": { + "h": 16, + "i": "843ccc25-3963-4bd5-838e-b40019bcf3c5", + "w": 24, + "x": 0, + "y": 16 + }, + "panelIndex": "843ccc25-3963-4bd5-838e-b40019bcf3c5", + "title": "[Auditd Manager] Socket Families", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Exe", + "field": "auditd.summary.how", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Address", + "field": "auditd.summary.object.primary", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Port", + "field": "auditd.summary.object.secondary", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "searchSource": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "apply": true, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "auditd.summary.object.secondary", + "negate": true, + "params": { + "query": "0", + "type": "phrase" + }, + "type": "phrase", + "value": "0" + }, + "query": { + "match": { + "auditd.summary.object.secondary": { + "query": "0", + "type": "phrase" + } + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "type": "table", + "uiState": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + } + } + }, + "gridData": { + "h": 16, + "i": "1e9272d7-090a-443b-bc0c-3d8afae53e76", + "w": 24, + "x": 24, + "y": 16 + }, + "panelIndex": "1e9272d7-090a-443b-bc0c-3d8afae53e76", + "title": "[Auditd Manager] Bind (non-ephemeral)", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Exe", + "field": "process.executable", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Address", + "field": "auditd.summary.object.primary", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Port", + "field": "auditd.summary.object.secondary", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "type": "table", + "uiState": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + } + } + }, + "gridData": { + "h": 20, + "i": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e", + "w": 24, + "x": 0, + "y": 32 + }, + "panelIndex": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e", + "title": "[Auditd Manager] Connect", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique Addresses", + "emptyAsNull": false, + "field": "auditd.summary.object.primary" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Exe", + "field": "process.executable", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Syscall", + "field": "auditd.data.syscall", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "autoFitRowToContent": false, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "type": "table", + "uiState": { + "spy": { + "mode": { + "fill": false, + "name": null + } + }, + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + } + } + }, + "gridData": { + "h": 20, + "i": "cd08c022-92e5-4012-a94d-6e459948c42c", + "w": 24, + "x": 24, + "y": 32 + }, + "panelIndex": "cd08c022-92e5-4012-a94d-6e459948c42c", + "title": "[Auditd Manager] Accept / Recvfrom Unique Address Table", + "type": "visualization", + "version": "8.2.0" + } + ], + "timeRestore": false, + "title": "[Auditd Manager] Sockets", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "843ccc25-3963-4bd5-838e-b40019bcf3c5:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a", + "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "1e9272d7-090a-443b-bc0c-3d8afae53e76:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a", + "name": "d91afd3e-4c8e-41d9-b038-78bcffbe1e0e:search_0", + "type": "search" + }, + { + "id": "auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a", + "name": "cd08c022-92e5-4012-a94d-6e459948c42c:search_0", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json new file mode 100644 index 00000000000..da1deead6e9 --- /dev/null +++ b/packages/auditd_manager/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json @@ -0,0 +1,327 @@ +{ + "attributes": { + "description": "Overview of kernel executions", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "data_stream.dataset:auditd_manager.auditd" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "6", + "w": 48, + "x": 0, + "y": 16 + }, + "panelIndex": "6", + "panelRefName": "panel_6", + "type": "search", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### [Overview](/app/dashboards#/view/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16) - [Sockets](/app/dashboards#/view/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a) - **Executions**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "f2ce7c72-d0f9-41a5-8738-11d4820c0774", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "f2ce7c72-d0f9-41a5-8738-11d4820c0774", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "auditd.summary.actor.primary", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "maxFontSize": 45, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": true + }, + "type": "tagcloud", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67", + "w": 16, + "x": 32, + "y": 4 + }, + "panelIndex": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67", + "title": "[Auditd Manager] Primary Username Tag Cloud", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "process.executable", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "maxFontSize": 45, + "minFontSize": 14, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": true + }, + "type": "tagcloud", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "459f779e-e668-4048-a1d5-fa5806262646", + "w": 16, + "x": 0, + "y": 4 + }, + "panelIndex": "459f779e-e668-4048-a1d5-fa5806262646", + "title": "[Auditd Manager] Executable Name Tag Cloud", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "auditd.data.exit", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "Command executions", + "params": { + "addTooltip": true, + "distinctColors": true, + "emptySizeRatio": 0.3, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendDisplay": "show", + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "b65a07a2-a0d7-4dab-921a-8afbe066d025", + "w": 16, + "x": 16, + "y": 4 + }, + "panelIndex": "b65a07a2-a0d7-4dab-921a-8afbe066d025", + "title": "[Auditd Manager] Error Codes", + "type": "visualization", + "version": "8.2.0" + } + ], + "timeRestore": false, + "title": "[Auditd Manager] Executions", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "name": "6:panel_6", + "type": "search" + }, + { + "id": "logs-*", + "name": "4dd0c4a9-2eeb-4bba-bcdb-ca6c2e389e67:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "name": "459f779e-e668-4048-a1d5-fa5806262646:search_0", + "type": "search" + }, + { + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "name": "b65a07a2-a0d7-4dab-921a-8afbe066d025:search_0", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json new file mode 100644 index 00000000000..0a6c0b20a2b --- /dev/null +++ b/packages/auditd_manager/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json @@ -0,0 +1,293 @@ +{ + "attributes": { + "description": "Summary of Linux kernel audit events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "data_stream.dataset:auditd_manager.auditd" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 20, + "i": "5", + "w": 48, + "x": 0, + "y": 16 + }, + "panelIndex": "5", + "panelRefName": "panel_5", + "type": "search", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### **Overview** - [Sockets](/app/dashboards#/view/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a) - [Executions](/app/dashboards#/view/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "7969164a-3810-485c-b3ad-948b1930f6d0", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "7969164a-3810-485c-b3ad-948b1930f6d0", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": {} + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "58c95a20-c1bd-11e7-938f-ab0645b6c431" + } + ], + "bar_color_rules": [ + { + "id": "5bfc71a0-c1bd-11e7-938f-ab0645b6c431" + } + ], + "drop_last_bucket": 1, + "filter": { + "language": "lucene", + "query": "" + }, + "gauge_color_rules": [ + { + "id": "5d20a650-c1bd-11e7-938f-ab0645b6c431" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "logs-*", + "interval": "auto", + "legend_position": "left", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Actions", + "line_width": 1, + "metrics": [ + { + "id": "6b9fb2d0-c1bc-11e7-938f-ab0645b6c431", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "event.action" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "type": "metrics", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "c89b1ae9-3f74-4088-bb68-a0fdcf3aad94", + "w": 28, + "x": 0, + "y": 4 + }, + "panelIndex": "c89b1ae9-3f74-4088-bb68-a0fdcf3aad94", + "title": "[Auditd Manager] Event Actions", + "type": "visualization", + "version": "8.2.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Category", + "field": "event.category", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "addTooltip": true, + "distinctColors": true, + "emptySizeRatio": 0.3, + "isDonut": true, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "percent" + }, + "legendDisplay": "show", + "legendPosition": "right", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5", + "w": 20, + "x": 28, + "y": 4 + }, + "panelIndex": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5", + "title": "[Auditd Manager] Event Categories", + "type": "visualization", + "version": "8.2.0" + } + ], + "timeRestore": false, + "title": "[Auditd Manager] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16", + "name": "5:panel_5", + "type": "search" + }, + { + "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16", + "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "af0b3b3c-90d5-4490-a2d0-9c0050d2adf5:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json new file mode 100644 index 00000000000..0121ff18569 --- /dev/null +++ b/packages/auditd_manager/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json @@ -0,0 +1,50 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "event.action", + "auditd.summary.object.type", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.summary.how", + "auditd.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Audit Event Table", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json new file mode 100644 index 00000000000..44c728a25cf --- /dev/null +++ b/packages/auditd_manager/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "auditd.result", + "auditd.data.exit" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "event.action", + "negate": false, + "params": { + "query": "connected-to", + "type": "phrase" + }, + "type": "phrase", + "value": "connected-to" + }, + "query": { + "match": { + "event.action": { + "query": "connected-to", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "auditd.summary.object.primary" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "auditd.summary.object.primary", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Socket Connects", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json new file mode 100644 index 00000000000..cf533f1ec4a --- /dev/null +++ b/packages/auditd_manager/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "auditd.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "auditd.data.syscall", + "negate": false, + "params": { + "query": "bind", + "type": "phrase" + }, + "type": "phrase", + "value": "bind" + }, + "query": { + "match": { + "auditd.data.syscall": { + "query": "bind", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "auditd.data.socket.family", + "negate": true, + "params": { + "query": "netlink", + "type": "phrase" + }, + "type": "phrase", + "value": "netlink" + }, + "query": { + "match": { + "auditd.data.socket.family": { + "query": "netlink", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Socket Binds", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json b/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json new file mode 100644 index 00000000000..7aed260733d --- /dev/null +++ b/packages/auditd_manager/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "process.args", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "process.executable" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "event.action", + "negate": false, + "params": { + "query": "executed", + "type": "phrase" + }, + "type": "phrase", + "value": "executed" + }, + "query": { + "match": { + "event.action": { + "query": "executed", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Process Executions", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json b/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json new file mode 100644 index 00000000000..0553a811b95 --- /dev/null +++ b/packages/auditd_manager/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "columns": [ + "agent.name", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "auditd.summary.object.type", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "auditd.summary.object.type": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "auditd.summary.object.primary" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "auditd.summary.object.primary", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}}" + }, + "query": { + "terms": { + "auditd.data.syscall": [ + "accept", + "accept4", + "recvfrom", + "recvmsg" + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Auditd Manager] Socket Accept / Recvfrom", + "version": 1 + }, + "coreMigrationVersion": "8.2.0", + "id": "auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml new file mode 100644 index 00000000000..54cdec9e08e --- /dev/null +++ b/packages/auditd_manager/manifest.yml @@ -0,0 +1,41 @@ +format_version: 1.0.0 +name: auditd_manager +title: "Auditd Manager" +version: 1.0.0 +release: ga +license: basic +description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." +type: integration +categories: + - os_system + - security +conditions: + kibana.version: "^8.2.0" +screenshots: + - src: /img/overview.png + title: Overview Dashboard + size: 1374x903 + type: image/png + - src: /img/sockets.png + title: Sockets Dashboard + size: 1362x1043 + type: image/png + - src: /img/executions.png + title: Executions Dashboard + size: 1375x900 + type: image/png +icons: + - src: /img/linux.svg + title: linux + size: 299x354 + type: image/svg+xml +policy_templates: + - name: auditd + title: Auditd + description: Collect auditd events + inputs: + - type: audit/auditd + title: Collect auditd events + description: Collecting auditd events +owner: + github: elastic/security-external-integrations