hi Nikolay,
hopefully my e-mail is not too confusing, but I've played a little bit
with linux auditd logs today and checked their format. At least on my
laptop, it appears that the messages are always consecutive. In other
words, the messages with the same timestamp and eventID (the value
that is present in the msg=audit(...) field) are not interleaved with
messages that have different timestamps and eventIDs. I'm not sure you
have the same situation, but if your auditd logs share the same
property I have observed, I would not write event correlation rules
for joining lines together, but would do it with multiline patterns.
One possible strategy is the following: 1) normalize multiline auditd
messages into single-line messages, so that for each (timestamp,
eventID) tuple there is only one line, 2) write the rest of your rules
for the single line format
Let me illustrate this strategy with the following simple rules:
# normalize multiline auditd events
# join two last lines in the input buffer if their timestamps and
event ID's are identical
# (note that this rule will keep joining lines in sec input buffer
until a line appears
# that has different timestamp and/or event ID)
# Please note that the backreference construct \2 refers to data
previously matched
# by ([\d:.]+)
type=Single
ptype=RegExp2
pattern=^(type=\w+ msg=audit\(([\d:.]+)\):.*)\n(type=\w+ msg=audit\(\2\).*)
context=!AUDIT
desc=join two last lines if input buffer if their ID's are identical
action=rewrite 2 $1 $3
# normalize multiline auditd events
# after we have seen a line that has different timestamp and/or event ID,
# generate a synthetic event from all lines that have been joined previously
type=Single
ptype=RegExp2
pattern=^(type=\w+ msg=audit\([\d:.]+\):.+)\n
context=!AUDIT
desc=generate a synthetic event for normalized auditd message
action=cevent AUDIT 0 $1
# a simplistic example rule for processing normalized auditd events
type=Single
ptype=RegExp
pattern=^type=SYSCALL .* syscall=(?<syscall>\d+) .* type=CWD .*
cwd="(?<cwd>.+?)" type=PATH .* name="(?<name>.+?)" (?:inode|objtype)=
context=AUDIT
desc=process the normalized audit event
action=write test.log $+{syscall} $+{cwd} $+{name}
Apart from the above strategy, you could just write couple of Regexp4
and RegExp5 rules for handling all combinations of event sequences,
provided that the number of such combinations is reasonable. Please
make sure you are using backreferences to match the repeated
occurrence of the same timestamp and event ID, in order to match
multiple lines that indeed belong together. If you are worried about
performance, I would suggest to benchmark both approaches against your
input data (let sec run for a while and check its CPU consumption with
the SIGUSR1 signal).
Last note -- if messages that represent the same auditd event are
*not* consecutive and other lines can randomly appear in between these
messages, the above techniques will not work, and augmenting my
previous suggestion with one PairWithWindow rule might be a better
option.
kind regards,
risto
2016-11-18 22:53 GMT+02:00 Nikolay Srebniuk
<nikolay.srebn...@tonicforhealth.com>:
> Hi Risto,
>
> thank you for previous help and my apologize for disturbing you.
>
> I had thought I understand how to build new correlation for EXECVE messages.
> But I have faced again with next problem.
>
> I'm receiving these messages in order: SYSCALL, EXECVE, CWD and PATH.
>
> Depends on activity these message can arrive in such tuples:
>
> 1. SYSCALL, EXECVE, CWD and PATH.
>
> For example:
>
> type=SYSCALL msg=audit(1479314721.962:46624): arch=c000003e syscall=59
> success=yes exit=0 a0=1d69a20 a1=1d69eb0 a2=1d71f00 a3=7fffe789d4a0 items=2
> ppid=25160 pid=25161 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 ses=12 comm="file" exe="/usr/bin/file" key=(null)
> type=EXECVE msg=audit(1479314721.962:46624): argc=3 a0="file" a1="-b"
> a2="audit/audit.log"
> type=CWD msg=audit(1479314721.962:46624): cwd="/var/log"
> type=PATH msg=audit(1479314721.962:46624): item=0 name="/bin/file"
> inode=25305623 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> objtype=NORMAL
> type=PATH msg=audit(1479314721.962:46624): item=1
> name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755
> ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
>
> From message type=EXECVE need to extract field argc and all fields which
> start with A.
> Field argc indicate how mach arguments are described next
> FieldŃ– a[0-9]{1,} has arguments quoted in "".
>
> 2. SYSCALL, CWD and PATH (PATH with field item=1 is preferred) .
>
> For example:
>
> type=SYSCALL msg=audit(1479314815.075:46733): arch=c000003e syscall=2
> success=yes exit=4 a0=1e804e0 a1=200c2 a2=180 a3=3 items=2 ppid=16576
> pid=25277 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts3 ses=16 comm="vi" exe="/usr/bin/vi" key=(null)
> type=CWD msg=audit(1479314815.075:46733): cwd="/etc/default"
> type=PATH msg=audit(1479314815.075:46733): item=0 name="/etc/sec/"
> inode=37805 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
> type=PATH msg=audit(1479314815.075:46733): item=1
> name="/etc/sec/.auditd-sec.conf.swp" inode=37853 dev=ca:01 mode=0100600
> ouid=0 ogid=0 rdev=00:00 objtype=CREATE
>
> So I can't find way to make my config working in this way. The way I think
> to resolve this task:
>
> 1. Wait for 2 messages: SYSCALL and EXECVE. If it matches then produce new
> event SYSCALL + EXECVE. If not then it produces only SYSCALL
>
> 2. Correlate ( SYSCALL+EXECVE or single SYSCALL ) with CWD event and produce
> event
>
> 3. Correlate ( SYSCALL+EXECVE + CWD | SYSCALL + CWD) with PATH event and
> send to socket.
>
>
> I have tried these rule types: PAIR, SINGLE, but no luck
>
> P.S. My previous EventGroup works well but makes some CPU load. Thats why I
> want to compare workload for Pair rule types without Contexts and with
> minimum varmaps
>
> Wbr,
> Nikolay
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
