Hey all, I was wondering if anyone working with the audit logs has come up with a way to correlate actions/events to usernames.
This is an example of an event I'd be interested in correlating to a user: ---- type=PATH msg=audit(08/17/2011 10:06:46.243:548) : flags=follow,open inode=213007 dev=fd:00 mode=file,755 ouid=r oot ogid=root rdev=00:00 type=PATH msg=audit(08/17/2011 10:06:46.243:548) : name=/bin/cat flags=follow,open inode=1163295 dev=fd:00 mode=f ile,755 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(08/17/2011 10:06:46.243:548) : cwd=/etc type=EXECVE msg=audit(08/17/2011 10:06:46.243:548) : argv[0]="less" argv[1]="passwd" type=SYSCALL msg=audit(08/17/2011 10:06:46.243:548) : arch=i386 syscall=execve success=yes exit=0 a0=8b53850 a1=8 b66e50 a2=8b54a80 a3=8b66e50 items=2 pid=13051 auid=jplee3 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=cat exe=/bin/cat ---- I had to run ausearch -i in order to find this event. I'm assuming auditd logs a single event over multiple lines in this case. Where I was accessing the passwd file in /etc via "less" My username is on the following line, however, and I'd like to be able to grab that information. I created a simple OSSEC rule to alert me when I see "passwd" (i.e. <match>passwd</match>), but how can I get the username from the next line(s)? I suppose I could run "ausearch -i | grep -A3 passwd" as a full command, but the whole point of this is to be 'real-time' Anyone have any ideas on how to do this?
