On 08/17/2011 01:14 PM, jplee3 wrote:
Hey all,
I was wondering if anyone working with the audit logs has come up with
a way to correlate actions/events to usernames.
This is an example of an event I'd be interested in correlating to a
user:
----
type=PATH msg=audit(08/17/2011 10:06:46.243:548) : flags=follow,open
inode=213007 dev=fd:00 mode=file,755 ouid=r
oot ogid=root rdev=00:00
type=PATH msg=audit(08/17/2011 10:06:46.243:548) : name=/bin/cat
flags=follow,open inode=1163295 dev=fd:00 mode=f
ile,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(08/17/2011 10:06:46.243:548) : cwd=/etc
type=EXECVE msg=audit(08/17/2011 10:06:46.243:548) : argv[0]="less"
argv[1]="passwd"
type=SYSCALL msg=audit(08/17/2011 10:06:46.243:548) : arch=i386
syscall=execve success=yes exit=0 a0=8b53850 a1=8
b66e50 a2=8b54a80 a3=8b66e50 items=2 pid=13051 auid=jplee3 uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=cat exe=/bin/cat
I am going to answer somewhat generally so this is applicable to more
situations. When you want to correlate logs from multiple sources or
events, of course you need a common denominator.
In this case, the ID is what ties these events together. So what you
need to do is write your child rules based on the ID (same_id), then add
another qualifier. So the password rule might be first, then you can
write the child rule to match on something unique like exe=, along with
same_id, then the alert should fire. Unfortunately, it will not give you
both lines--just the one that finally alerted.
There are some other ways to do it, but perhaps this is all you need.
