On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote: > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote: > > I use a proprietary ELK-like system based on ausearch's -i option. I would > > like to see some variant outputs from ausearch that "packages" events into > > parse-friendly formats (json, xml) that also incorporates the local > > transformations Steve proposes. I believe this would be the most generic > > solution to support centralised log management. > > > > I am travelling now, but can write up a specification for review next week. > > Yes, please do send something to the mail list for people to look at and > comment on. > All,
To reiterate, my need is to generate easy to parse events over which local interpretation has been applied, retaining raw input to the some of the interpretations if required. I want to then transmit the complete interpreted event to my central event repository. My proposal is that ausearch gains the following 'interpreted output' options --Xo plain|json|xml generate plain (cf --interpret), xml or json formatted events --Xr key_a'+'key_b'+'key_c include raw value for given keys using the the new key __r_key_a, __r_key_b, etc. The special key __all__ is interpreted to retain the complete raw record. If the raw value has no interpreted value, then we will end up with two keys with the same value. I have attached the XSD from which the XML and JSON formats could be defined. The following provides some examples. For the raw event (on a system recording execve's and with name_format = fqd configured) node=fedora23.a1959.org type=SYSCALL msg=audit(1450409042.880:61882): arch=c000003e syscall=59 success=yes exit=0 a0=561c5e714d60 a1=561c5e6dbb90 a2=561c5e630920 a3=561c5e6dbb80 items=2 ppid=27269 pid=29282 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="ausearch" exe="/usr/sbin/ausearch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="cmds" node=fedora23.a1959.org type=EXECVE msg=audit(1450409042.880:61882): argc=4 a0="ausearch" a1="-i" a2="-if" a3="/var/log/audit/audit.log" node=fedora23.a1959.org type=CWD msg=audit(1450409042.880:61882): cwd="/home/burn/audit-2.4.4_debug_fix" node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882): item=0 name="/sbin/ausearch" inode=134573468 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=134397639 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL node=fedora23.a1959.org type=PROCTITLE msg=audit(1450409042.880:61882): proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67 Running ausearch with the proposed changes becomes, for --Xo plain node=fedora23.a1959.org type=PROCTITLE msg=audit(12/18/2015 14:24:02.880:61882) : proctitle=ausearch -i -if /var/log/audit/audit.log node=fedora23.a1959.org type=PATH msg=audit(12/18/2015 14:24:02.880:61882) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=134397639 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL node=fedora23.a1959.org type=PATH msg=audit(12/18/2015 14:24:02.880:61882) : item=0 name=/sbin/ausearch inode=134573468 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL node=fedora23.a1959.org type=CWD msg=audit(12/18/2015 14:24:02.880:61882) : cwd=/home/burn/audit-2.4.4_debug_fix node=fedora23.a1959.org type=EXECVE msg=audit(12/18/2015 14:24:02.880:61882) : argc=4 a0=ausearch a1=-i a2=-if a3=/var/log/audit/audit.log node=fedora23.a1959.org type=SYSCALL msg=audit(12/18/2015 14:24:02.880:61882) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561c5e714d60 a1=0x561c5e6dbb90 a2=0x561c5e630920 a3=0x561c5e6dbb80 items=2 ppid=27269 pid=29282 auid=burn uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ausearch exe=/usr/sbin/ausearch subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=cmds and, for --Xo xml <event> <node>fedora23.a1959.org</node> <time>2015-12-18T14:24:02.880+11:00</time> <serial>1450409042.880:61882</serial> <records> <record> <type>PROCTITLE</type> <data name="proctitle" value="ausearch -i -if /var/log/audit/audit.log" /> </record> <record> <type>PATH</type> <data name="item" value="1" /> <data name="name" value="/lib64/ld-linux-x86-64.so.2" /> <data name="inode" value="134397639" /> <data name="dev" value="fd:00" /> ... <data name="nametype" value="NORMAL" /> </record> ... <record> <type>SYSCALL</type> <data name="arch" value="x86_64" /> <data name="syscall" value="execve" /> .. <data name="subj" value="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" /> <data name="key" value="cmds" /> </record> </records> </event> and, for --Xo json { "event": { "node": "fedora23.a1959.org", "time": "2015-12-18T14:24:02.880+11:00", "serial": "1450409042.880:61882", "records": { "record": [ { "type": "PROCTITLE", "data": { "_name": "proctitle", "_value": "ausearch -i -if /var/log/audit/audit.log" } }, { "type": "PATH", "data": [ { "_name": "item", "_value": "1" }, { "_name": "name", "_value": "/lib64/ld-linux-x86-64.so.2" }, { "_name": "inode", "_value": "134397639" }, { "_name": "dev", "_value": "fd:00" }, ... { "_name": "nametype", "_value": "NORMAL" } ] }, ... { "type": "SYSCALL", "data": [ { "_name": "arch", "_value": "x86_64" }, { "_name": "syscall", "_value": "execve" }, ... { "_name": "subj", "_value": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" }, { "_name": "key", "_value": "cmds" } ] } ] } } } Specifying --Xr __all__ does nothing for plain, but for xml adds a raw element within each record, as per ... <records> <record> <type>PROCTITLE</type> <raw>node=fedora23.a1959.org type=PROCTITLE msg=audit(1450409042.880:61882): proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67</raw> ... </record> <record> <type>PATH</type> <raw>node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=134397639 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL</raw> ... and for json adds a raw key within each record, as per "record": [ { "type": "PROCTITLE", "raw": "node=fedora23.a1959.org type=PROCTITLE msg=audit(1450409042.880:61882): proctitle=6175736561726368002D69002D6966002F7661722F6C6F672F61756469742F61756469742E6C6F67", "data": { "_name": "proctitle", "_value": "ausearch -i -if /var/log/audit/audit.log" } }, { "type": "PATH", "raw": "node=fedora23.a1959.org type=PATH msg=audit(1450409042.880:61882): item=1 name= \"/lib64/ld-linux-x86-64.so.2\" inode=134397639 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL", "data": [ { ... And if you want arbitrary raw key values as well as their interpreted value, then provide a '+' separated list of keys. For example, --Xr auid|syscall|a2 applied to the following raw record node=fedora23.a1959.org type=SYSCALL msg=audit(1450410618.410:62231): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=562de17c80f0 a2=1e8 a3=fffff3ff items=1 ppid=27269 pid=29705 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod" for --Xo plain, we get node=fedora23.a1959.org type=SYSCALL msg=audit(12/18/2015 14:50:18.410:62231) : arch=x86_64 syscall=fchmodat success=yes exit=0 a0=0xffffffffffffff9c a1=0x562de17c80f0 a2=0750 a3=0xfffff3ff items=1 ppid=27269 pid=29705 auid=burn uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=chmod exe=/usr/bin/chmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=perm_mod __r_syscall=268 __r_auid=1000 __r_a2=1e8 for --Xo xml ... <data name="syscall" value="fchmodat" /> ... <data name="key" value="perm_mod" /> <data name="__r_syscall" value="268" /> <data name="__r_auid" value="1000" /> <data name="__r_a2" value="1e8" /> for --Xo json ... { "_name": "syscall", "_value": "fchmodat" }, ... }, { "_name": "key", "_value": "perm_mod" }, { "_name": "__r_syscall", "_value": "268" }, { "_name": "__r_auid", "_value": "1000" }, { "_name": "__r_a2", "_value": "1e8" } ]
ausearch.xsd
Description: XML document
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit