Audit/Auditd/Audispd documentation

Audit/Auditd/Audispd documentation

[Wojtczak Arkadiusz]

[-- Attachment #1.1.1: Type: text/plain, Size: 2525 bytes --]

Hi,
I've been searching for Audit documentation and stumbled upon following conversation:
http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html

Has anything changed since 2006?
I need to write set of rules to correlate audit events from many systems. Following information would be very useful:

1)       Event formats  - What fields will be generated for particular event type? Which fields are common to all event types? What type of data will be in those fields (binary/encoded/ASCII/UNICODE)? What do those fields describe?

2)       For all event types - description when (in what circumstances) are generated events of this type

3)       How do DAC event types relate to AVC (which fields are common, which are not)

Best regards,
Arkadiusz Wojtczak
Ekspert

[cid:image001.png@01CFFF52.E9321B50]

PKO Bank Polski
Departament Bezpieczeństwa
Biuro Bezpieczeństwa Informatycznego
02-515 Warszawa, ul. Puławska 15
t: 22 521 68 80
k: 666 824 168

Nie drukuj tej wiadomości, ani innych dokumentów, jeśli nie jest to konieczne.

Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna z siedzibą w Warszawie przy ul. Puławskiej 15, 02-515 Warszawa, zarejestrowana w Sądzie Rejonowym dla m.st. Warszawy w Warszawie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000026438; NIP: 525-000-77-38 REGON: 016298263; kapitał zakładowy (kapitał wpłacony) 1 250 000 000 PLN / Powszechna Kasa Oszczędności Bank Polski S.A. registered in the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register under KRS number 0000026438, Tax Identification Number (NIP): 525-000-77-38, REGON: 016298263, share capital 1,250,000,000 PLN.

Niniejsza wiadomość może zawierać poufną i prawnie zastrzeżoną korespondencję między naszą Firmą i Klientem. Jeżeli nie jesteście Państwo jej adresatem informujemy, że otrzymali ją Państwo omyłkowo oraz, że przeglądanie, rozpowszechnianie lub kopiowanie jest zabronione. W przypadku omyłkowego otrzymania niniejszej wiadomości, prosimy o niezwłoczne powiadomienie o tym nadawcy i wykasowanie oryginału. / This message may contain a confidential and privileged our Company and Client communication. If you are not the intended recipient, you are hereby notified that you have received this message in error - any review, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete the original.



[-- Attachment #1.1.2: Type: text/html, Size: 12020 bytes --]

[-- Attachment #1.2: image001.png --]
[-- Type: image/png, Size: 10129 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit/Auditd/Audispd documentation

[Richard Guy Briggs]

On 14/11/13, Wojtczak Arkadiusz wrote:
> Hi,
> I've been searching for Audit documentation and stumbled upon following conversation:
> http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html
> 
> Has anything changed since 2006?

Just recently, Steve Grubb has published this document, which outlines
the desired format of audit log records with the aim of having it
included in the kernel source Documentation tree:

	http://people.redhat.com/sgrubb/audit/audit-parse.txt

The existing records do not all follow this specification.  There are
efforts to correct this, but some would break long-used parsers.

There have been several other discussions recently (last month or two)
that talk about specific and general issues.  I'll let Steve answer in a
bit more detail.

> I need to write set of rules to correlate audit events from many systems. Following information would be very useful:
> 
> 1)       Event formats  - What fields will be generated for particular event type? Which fields are common to all event types? What type of data will be in those fields (binary/encoded/ASCII/UNICODE)? What do those fields describe?
> 
> 2)       For all event types - description when (in what circumstances) are generated events of this type
> 
> 3)       How do DAC event types relate to AVC (which fields are common, which are not)
> 
> Best regards,
> Arkadiusz Wojtczak

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: Audit/Auditd/Audispd documentation

[Steve Grubb]

On Thursday, November 13, 2014 02:20:02 PM Wojtczak Arkadiusz wrote:
> I've been searching for Audit documentation and stumbled upon following
> conversation:
> http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html
> 
> Has anything changed since 2006?

Yes, there is a little more documentation and sample code.

> I need to write set of rules to correlate audit events from many systems.
> Following information would be very useful:
> 
> 1)       Event formats  - What fields will be generated for particular event
> type? 

Doesn't exist. What I have been doing is using ausearch-test to collect 
events. From that you can look through them.

> Which fields are common to all event types?

The audit events have to meet common criteria requirements which asks for 
date, time, subject, object, action, outcome. Each event has that somewhere. 
Generally the events have auid as the subject, the object varies based on what 
kind of event it is, the action is generally the type of event except syscalls 
- which the key that may be added serves as the action, the outcome is either 
sucess, res, or results.


> What type of data will be in those fields (binary/encoded/ASCII/UNICODE)?
> What do those fields describe?

I have created a mapping here:

http://people.redhat.com/sgrubb/audit/audit-events.txt

This document describes all known fields.

> 2)       For all event types - description when (in what circumstances) are
> generated events of this type

Doesn't exist. There are over 150 kinds of events. Some are deprecated, some 
are not. The best description for what they are is in the header file for the 
kernel and libaudit.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/audit.h?id=refs/tags/v3.18-rc4#n30
https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L40

Also, I have been writing some specifications around when and why certain 
events are created:

http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt
http://people.redhat.com/sgrubb/audit/audit-state-diagram.png

I have another around logins that is in development and have another around 
virt/containers in works.


> 3)       How do DAC event types relate to AVC (which fields are common,
> which are not)

The AVCs are created by a whole different community for their own needs. They 
more or less conform to the recommended style. If you have auditing enabled, 
you should also get a syscall record with the AVC. But if auditing is not 
enabled, then you won't.

For DAC events, you get a syscall record. You have to specify what events you 
are interested in by the rules. I'd recommend the stig.rules as the best 
starting point

-Steve