[Simple-evcorr-users] Auditd EXECVE message correlation

Fri, 18 Nov 2016 13:02:35 -0800 

Hi Risto,

thank you for previous help and my apologize for disturbing you.

I had thought I understand how to build new correlation for EXECVE
messages. But I have faced again with next problem.

I'm receiving these messages in order: SYSCALL, EXECVE, CWD and PATH.

Depends on activity these message can arrive in such tuples:

1. SYSCALL, *EXECVE*, CWD and PATH.

For example:

type=SYSCALL msg=audit(1479314721.962:46624): arch=c000003e syscall=59
success=yes exit=0 a0=1d69a20 a1=1d69eb0 a2=1d71f00 a3=7fffe789d4a0 items=2
ppid=25160 pid=25161 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=12 comm="file" exe="/usr/bin/file" key=(null)
type=*EXECVE* msg=audit(1479314721.962:46624): *argc=3 a0="file" a1="-b"
a2="audit/audit.log"*
type=CWD msg=audit(1479314721.962:46624):  cwd="/var/log"
type=PATH msg=audit(1479314721.962:46624): item=0 name="/bin/file"
inode=25305623 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL
type=PATH msg=audit(1479314721.962:46624): item=1
name="/lib64/ld-linux-x86-64.so.2" inode=1813292 dev=ca:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 objtype=NORMAL

>From message type=EXECVE need to extract field *argc* and all fields which
start with *A.*
Field argc indicate how mach arguments are described next
FieldŃ– a[0-9]{1,} has arguments quoted in "".

2. SYSCALL, CWD and PATH (PATH with field item=1 is preferred) .

For example:

type=SYSCALL msg=audit(1479314815.075:46733): arch=c000003e syscall=2
success=yes exit=4 a0=1e804e0 a1=200c2 a2=180 a3=3 items=2 ppid=16576
pid=25277 auid=1003 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=16 comm="vi" exe="/usr/bin/vi" key=(null)
type=CWD msg=audit(1479314815.075:46733):  cwd="/etc/default"
type=PATH msg=audit(1479314815.075:46733): item=0 name="/etc/sec/"
inode=37805 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
type=PATH msg=audit(1479314815.075:46733): item=1
name="/etc/sec/.auditd-sec.conf.swp" inode=37853 dev=ca:01 mode=0100600
ouid=0 ogid=0 rdev=00:00 objtype=CREATE

So I can't find way to make my config working in this way. The way I think
to resolve this task:

1. Wait for 2 messages: SYSCALL and EXECVE. If it matches then produce new
event SYSCALL + EXECVE. If not then it produces only SYSCALL

2. Correlate ( SYSCALL+EXECVE or single SYSCALL ) with CWD event and
produce event

3. Correlate ( SYSCALL+EXECVE + CWD | SYSCALL + CWD) with PATH event and
send to socket.


I have tried these rule types: PAIR, SINGLE, but no luck

P.S. My previous EventGroup works well but makes some CPU load. Thats why I
want to compare workload for Pair rule types without Contexts and with
minimum varmaps

Wbr,
Nikolay

------------------------------------------------------------------------------

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to