All of lore.kernel.org
 help / color / mirror / Atom feed
* ENRICHED log_format not encoding all parameters
@ 2017-07-20  8:06 Peter KRIVANSKY
  2017-07-20 15:23 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Peter KRIVANSKY @ 2017-07-20  8:06 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2857 bytes --]

Hello together,

I am writing to this mailing list as I have not found any working solution online.
We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded from HEX,
Here are the auditd settings:
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = root
priority_boost = 4
flush = incremental
freq = 6000
num_logs = 10
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 30
max_log_file_action = ROTATE
space_left = 150
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 100
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd

Installed audit Version:
2.6.5-3.el7_3.1

Here the problem parts of the Audit log (parameter a2):

node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3 a0="/bin/sh" a1="-c" a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31

not decoded parameter (a14) in the middle:
node= hostname.domain.tld  type=EXECVE msg=audit(1500536092.303:232170300): argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H" a3="10.100.0.0" a4="-p" a5="5666" a6="-c" a7="CheckFiles" a8="-t" a9="20" a10="-a" a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0" a13="pattern=*33_0550_L_*.CK8" a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062 a15="MaxCrit=1"


We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000 to give the auditd more time for decoding. None of the mentioned helped.
What I don’t understand is that sometimes it’s the last parameters which is not decoded, and sometimes it one in the middle. See example above

Any kind of advice is welcome
With kind regards
Peter
This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.

[-- Attachment #1.2: Type: text/html, Size: 7556 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: ENRICHED log_format not encoding all parameters
  2017-07-20  8:06 ENRICHED log_format not encoding all parameters Peter KRIVANSKY
@ 2017-07-20 15:23 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2017-07-20 15:23 UTC (permalink / raw)
  To: linux-audit; +Cc: Peter KRIVANSKY

On Thursday, July 20, 2017 4:06:48 AM EDT Peter KRIVANSKY wrote:
> Hello together,
> 
> I am writing to this mailing list as I have not found any working solution
> online.
> We use the audit with ENRICHED log_format, but we see lots of
> parameters not being decoded from HEX, Here are the auditd settings:

The decoding from hex is done by ausearch. Its always been like that. What the 
enriched format does is capture the ephemeral system specific mappings such as 
UID/GID at the moment the event occurs. This way the events can be correctly 
displayed by ausearch no matter which computer you run ausearch on.


> log_file = /var/log/audit/audit.log
> log_format = ENRICHED
> log_group = root
> priority_boost = 4
> flush = incremental
> freq = 6000
> num_logs = 10
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = hostname
> max_log_file = 30
> max_log_file_action = ROTATE
> space_left = 150
> space_left_action = SYSLOG
> action_mail_acct = root
> admin_space_left = 100
> admin_space_left_action = SUSPEND
> disk_full_action = SUSPEND
> disk_error_action = SUSPEND
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> 
> Installed audit Version:
> 2.6.5-3.el7_3.1
> 
> Here the problem parts of the Audit log (parameter a2):
> 
> node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298):
> argc=3 a0="/bin/sh" a1="-c"
> a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065
> 202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B
> 46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F70
> 6F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F30
> 3535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E
> 442073697A652067742031306222204D6178437269743D31
 
> not decoded parameter (a14) in the middle:
> node= hostname.domain.tld  type=EXECVE msg=audit(1500536092.303:232170300):
> argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H"
> a3="10.100.0.0" a4="-p" a5="5666" a6="-c" a7="CheckFiles" a8="-t" a9="20"
> a10="-a" a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0"
> a13="pattern=*33_0550_L_*.CK8"
> a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A65206774203
> 13062 a15="MaxCrit=1"

> 
> We need ENRICHED log_formad so we can analyze audit logs on a central Log
> server. I tried to increase the „priority_boost“ parameter to 6, and
> increased the „freq“ param. to 6000 to give the auditd more time for
> decoding. 

It doesn't need more time as this does not any kind of deadline scheduler. I 
would however recommend using incremental_async for the flush method as its 
about 90x faster than the normal incremental method. But this won't affect the 
hex encoding. To see your event in full, you need to run the event through 
ausearch.


> None of the mentioned helped. What I don’t understand is that
> sometimes it’s the last parameters which is not decoded, and sometimes it
> one in the middle. 

The hex encoding is done whenever there is a field being captured that could 
be controlled by the user. This is to prevent someone naming a file that would 
confuse a naive parser and make it misparse the event.

> See example above 
> Any kind of advice is welcome
> With kind regards

Hope this helps...

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-07-20 15:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-20  8:06 ENRICHED log_format not encoding all parameters Peter KRIVANSKY
2017-07-20 15:23 ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.