commands in hex vs ASCII

commands in hex vs ASCII

[Kevin Brown]

[-- Attachment #1.1: Type: text/plain, Size: 329 bytes --]

Hello,

Is there an option within auditd to set whether commands are stored as hex
vs ASCII?

With the prevalence of SIEM these days, seems easier to keep the commands
as ASCII and not presume a person needs to have access to a local system to
run ausearch.

Have gone through the documentation but didn't see an answer.

Thanks

[-- Attachment #1.2: Type: text/html, Size: 451 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: commands in hex vs ASCII

[Steve Grubb]

Hello,

On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
> Is there an option within auditd to set whether commands are stored as hex
> vs ASCII?

No.
 
> With the prevalence of SIEM these days, seems easier to keep the commands
> as ASCII and not presume a person needs to have access to a local system to
> run ausearch.
> 
> Have gone through the documentation but didn't see an answer.

This is a design decision from way back around 2005. The problem is that a 
user can control certain things. If they want to evade detection or throw off 
naive analysis, then the can do log injection attacks by using spaces, legal 
field names, and carriage returns in fields controlled by the user. Simple 
parsers will be tricked.

There is some work currently going on wrt formatting output differently. In a 
way I'd rather see some plugins created using libauparse that presents the 
information to the siem in a format that it won't naively parse.

-Steve

Re: commands in hex vs ASCII

[William Roberts]

You don't always need local access, I look at a lot of logs from systems I don't
have access too, and I just decode them using python. I use the snippet
from here to do it:
http://stackoverflow.com/questions/9641440/convert-from-ascii-string-encoded-in-hex-to-plain-ascii

It might not be ideal, I have simple needs. IIUC, ausearch also takes
input from stdin, so you
could cat raw log data you collected and use it on the other machine.
I have some vague
recollection of doing this years ago for Android, and it all worked as
advertised.



On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
>> Is there an option within auditd to set whether commands are stored as hex
>> vs ASCII?
>
> No.
>
>> With the prevalence of SIEM these days, seems easier to keep the commands
>> as ASCII and not presume a person needs to have access to a local system to
>> run ausearch.
>>
>> Have gone through the documentation but didn't see an answer.
>
> This is a design decision from way back around 2005. The problem is that a
> user can control certain things. If they want to evade detection or throw off
> naive analysis, then the can do log injection attacks by using spaces, legal
> field names, and carriage returns in fields controlled by the user. Simple
> parsers will be tricked.
>
> There is some work currently going on wrt formatting output differently. In a
> way I'd rather see some plugins created using libauparse that presents the
> information to the siem in a format that it won't naively parse.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Respectfully,

William C Roberts

Re: commands in hex vs ASCII

[Kevin Brown]

[-- Attachment #1.1: Type: text/plain, Size: 2028 bytes --]

Thanks for the responses so far

On Tuesday, October 4, 2016, William Roberts <bill.c.roberts@gmail.com>
wrote:

> You don't always need local access, I look at a lot of logs from systems I
> don't
> have access too, and I just decode them using python. I use the snippet
> from here to do it:
> http://stackoverflow.com/questions/9641440/convert-
> from-ascii-string-encoded-in-hex-to-plain-ascii
>
> It might not be ideal, I have simple needs. IIUC, ausearch also takes
> input from stdin, so you
> could cat raw log data you collected and use it on the other machine.
> I have some vague
> recollection of doing this years ago for Android, and it all worked as
> advertised.
>
>
>
> On Tue, Oct 4, 2016 at 10:00 AM, Steve Grubb <sgrubb@redhat.com
> <javascript:;>> wrote:
> > Hello,
> >
> > On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
> >> Is there an option within auditd to set whether commands are stored as
> hex
> >> vs ASCII?
> >
> > No.
> >
> >> With the prevalence of SIEM these days, seems easier to keep the
> commands
> >> as ASCII and not presume a person needs to have access to a local
> system to
> >> run ausearch.
> >>
> >> Have gone through the documentation but didn't see an answer.
> >
> > This is a design decision from way back around 2005. The problem is that
> a
> > user can control certain things. If they want to evade detection or
> throw off
> > naive analysis, then the can do log injection attacks by using spaces,
> legal
> > field names, and carriage returns in fields controlled by the user.
> Simple
> > parsers will be tricked.
> >
> > There is some work currently going on wrt formatting output differently.
> In a
> > way I'd rather see some plugins created using libauparse that presents
> the
> > information to the siem in a format that it won't naively parse.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com <javascript:;>
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
> --
> Respectfully,
>
> William C Roberts
>

[-- Attachment #1.2: Type: text/html, Size: 2869 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: commands in hex vs ASCII

[Burn Alting]

Kevin,

Have you thought of locally processing the logs using ausearch -i (which
does the conversion you want) and then transmitting the locally
interpreted logs to your SIEM?

On Tue, 2016-10-04 at 10:13 -0400, Kevin Brown wrote:
> Thanks for the responses so far
> 

Re: commands in hex vs ASCII

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 650 bytes --]

We're using the hex to ascii function in our hosted log aggregation
solution. It's something that we had to open a feature request for
initially but, it works well.

-Farhan

On Tue, Oct 4, 2016 at 5:16 PM, Burn Alting <burn@swtf.dyndns.org> wrote:

> Kevin,
>
> Have you thought of locally processing the logs using ausearch -i (which
> does the conversion you want) and then transmitting the locally
> interpreted logs to your SIEM?
>
> On Tue, 2016-10-04 at 10:13 -0400, Kevin Brown wrote:
> > Thanks for the responses so far
> >
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1257 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]