Re: Audit/Auditd/Audispd documentation

[Steve Grubb <sgrubb@redhat.com>]

On Thursday, November 13, 2014 02:20:02 PM Wojtczak Arkadiusz wrote:
> I've been searching for Audit documentation and stumbled upon following
> conversation:
> http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html
> 
> Has anything changed since 2006?

Yes, there is a little more documentation and sample code.

> I need to write set of rules to correlate audit events from many systems.
> Following information would be very useful:
> 
> 1)       Event formats  - What fields will be generated for particular event
> type? 

Doesn't exist. What I have been doing is using ausearch-test to collect 
events. From that you can look through them.

> Which fields are common to all event types?

The audit events have to meet common criteria requirements which asks for 
date, time, subject, object, action, outcome. Each event has that somewhere. 
Generally the events have auid as the subject, the object varies based on what 
kind of event it is, the action is generally the type of event except syscalls 
- which the key that may be added serves as the action, the outcome is either 
sucess, res, or results.


> What type of data will be in those fields (binary/encoded/ASCII/UNICODE)?
> What do those fields describe?

I have created a mapping here:

http://people.redhat.com/sgrubb/audit/audit-events.txt

This document describes all known fields.

> 2)       For all event types - description when (in what circumstances) are
> generated events of this type

Doesn't exist. There are over 150 kinds of events. Some are deprecated, some 
are not. The best description for what they are is in the header file for the 
kernel and libaudit.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/audit.h?id=refs/tags/v3.18-rc4#n30
https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L40

Also, I have been writing some specifications around when and why certain 
events are created:

http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt
http://people.redhat.com/sgrubb/audit/audit-state-diagram.png

I have another around logins that is in development and have another around 
virt/containers in works.


> 3)       How do DAC event types relate to AVC (which fields are common,
> which are not)

The AVCs are created by a whole different community for their own needs. They 
more or less conform to the recommended style. If you have auditing enabled, 
you should also get a syscall record with the AVC. But if auditing is not 
enabled, then you won't.

For DAC events, you get a syscall record. You have to specify what events you 
are interested in by the rules. I'd recommend the stig.rules as the best 
starting point

-Steve