Wazuh only getting type=SYSCALL from auditd logs
298 views
Skip to first unread message
Wiktor Pieńkowski
Sep 28, 2022, 10:19:56 AM9/28/22
to Wazuh mailing list
Hi, I'm facing a problem with configuring system auditing in Wazuh. I have configured audit rules and added the keys to wazuh, but they only log syscalls containing the key, discarding the rest of log from the same event, which contains more useful data like the name of file created or modified. For example, for creating a file in /etc/init.d, wazuh alert is:
** Alert 1664370962.320203: - audit,audit_watch_write,gdpr_IV_30.1.g,
2022 Sep 28 13:16:02 (ubuntutest) any->/var/log/audit/audit.log
Rule: 80780 (level 3) -> 'Audit: Watch - Write access.'
type=SYSCALL msg=audit(1664370963.386:445): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe821b1843 a2=941 a3=1b6 items=2 ppid=3955 pid=4923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="touch" exe="/usr/bin/touch" subj=? key="init"ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
audit.type: SYSCALL
audit.id: 445
audit.arch: c000003e
audit.syscall: 257
audit.success: yes
audit.exit: 3
audit.ppid: 3955
audit.pid: 4923
audit.auid: 0
audit.uid: 0
audit.gid: 0
audit.euid: 0
audit.suid: 0
audit.fsuid: 0
audit.egid: 0
audit.sgid: 0
audit.fsgid: 0
audit.tty: pts1
audit.session: 1
audit.command: touch
audit.exe: /usr/bin/touch
audit.key: init
2022 Sep 28 13:16:02 (ubuntutest) any->/var/log/audit/audit.log
Rule: 80780 (level 3) -> 'Audit: Watch - Write access.'
type=SYSCALL msg=audit(1664370963.386:445): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe821b1843 a2=941 a3=1b6 items=2 ppid=3955 pid=4923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="touch" exe="/usr/bin/touch" subj=? key="init"ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
audit.type: SYSCALL
audit.id: 445
audit.arch: c000003e
audit.syscall: 257
audit.success: yes
audit.exit: 3
audit.ppid: 3955
audit.pid: 4923
audit.auid: 0
audit.uid: 0
audit.gid: 0
audit.euid: 0
audit.suid: 0
audit.fsuid: 0
audit.egid: 0
audit.sgid: 0
audit.fsgid: 0
audit.tty: pts1
audit.session: 1
audit.command: touch
audit.exe: /usr/bin/touch
audit.key: init
While audit logs look:
time->Wed Sep 28 13:16:03 2022
type=UNKNOWN[1420] msg=audit(1664370963.386:445): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1664370963.386:445): proctitle=746F756368002F6574632F696E69742E642F74657374373737382E747874
type=PATH msg=audit(1664370963.386:445): item=1 name="/etc/init.d/test7778.txt" inode=417557 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=? nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=UNKNOWN[1421] msg=audit(1664370963.386:445):
type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=UNKNOWN[1421] msg=audit(1664370963.386:445):
type=SYSCALL msg=audit(1664370963.386:445): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe821b1843 a2=941 a3=1b6 items=2 ppid=3955 pid=4923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="touch" exe="/usr/bin/touch" subj=? key="init"
type=UNKNOWN[1420] msg=audit(1664370963.386:445): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1664370963.386:445): proctitle=746F756368002F6574632F696E69742E642F74657374373737382E747874
type=PATH msg=audit(1664370963.386:445): item=1 name="/etc/init.d/test7778.txt" inode=417557 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=? nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=UNKNOWN[1421] msg=audit(1664370963.386:445):
type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=UNKNOWN[1421] msg=audit(1664370963.386:445):
type=SYSCALL msg=audit(1664370963.386:445): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe821b1843 a2=941 a3=1b6 items=2 ppid=3955 pid=4923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="touch" exe="/usr/bin/touch" subj=? key="init"
Is it even possible to do in Wazuh to get all this data into alert? My configurations:
auditctl -l :
-a never,user -F subj_type=crond_t
-a never,exit -S all -F subj_type=crond_t
-a never,exit -F arch=b32 -S adjtimex -F auid=-1 -F subj_type=chronyd_t
-a never,exit -F arch=b64 -S adjtimex -F auid=-1 -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S all -F path=/opt/filebeat -F key=filebeat
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron -p rwxa -k cron
-w /bin/systemctl -p x -k systemd
-w /etc/systemd -p wa -k systemd
-w /usr/lib/systemd -p wa -k systemd
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/inittab -p wa -k init
-w /etc/init.d -p wa -k init
-w /etc/init -p wa -k init
-w /etc/selinux -p wa -k MAC-policy
-w /usr/share/selinux -p wa -k MAC-policy
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-a always,exit -S all -F path=/sbin/insmod -F perm=x -F auid!=-1 -F key=modules
-a always,exit -S all -F path=/sbin/rmmod -F perm=x -F auid!=-1 -F key=modules
-a always,exit -S all -F path=/sbin/modprobe -F perm=x -F auid!=-1 -F key=modules
-w /etc/ssh/sshd_config -p wa -k sshd
-w /etc/ssh/sshd_config.d -p wa -k sshd
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/userdel -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-a always,exit -F arch=b64 -S init_module,delete_module -F auid!=-1 -F key=modules
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a never,exit -S all -F subj_type=crond_t
-a never,exit -F arch=b32 -S adjtimex -F auid=-1 -F subj_type=chronyd_t
-a never,exit -F arch=b64 -S adjtimex -F auid=-1 -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S all -F path=/opt/filebeat -F key=filebeat
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron -p rwxa -k cron
-w /bin/systemctl -p x -k systemd
-w /etc/systemd -p wa -k systemd
-w /usr/lib/systemd -p wa -k systemd
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/inittab -p wa -k init
-w /etc/init.d -p wa -k init
-w /etc/init -p wa -k init
-w /etc/selinux -p wa -k MAC-policy
-w /usr/share/selinux -p wa -k MAC-policy
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-a always,exit -S all -F path=/sbin/insmod -F perm=x -F auid!=-1 -F key=modules
-a always,exit -S all -F path=/sbin/rmmod -F perm=x -F auid!=-1 -F key=modules
-a always,exit -S all -F path=/sbin/modprobe -F perm=x -F auid!=-1 -F key=modules
-w /etc/ssh/sshd_config -p wa -k sshd
-w /etc/ssh/sshd_config.d -p wa -k sshd
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/userdel -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-a always,exit -F arch=b64 -S init_module,delete_module -F auid!=-1 -F key=modules
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=CRYPTO_KEY_USER
audit-keys:
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
time-change:
identity:
system-locale:
MAC-policy:
logins:
session:
mounts:
delete:
scope:
actions:
modules:
init:
sshd:
group_modification:
user_modification:
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
time-change:
identity:
system-locale:
MAC-policy:
logins:
session:
mounts:
delete:
scope:
actions:
modules:
init:
sshd:
group_modification:
user_modification:
And is there any way to pass username instead of userid to wazuh? Similiar to when you check logs with ausearch -i command. Thanks in advance for any help
Christian Borla
Sep 28, 2022, 2:28:51 PM9/28/22
to Wazuh mailing list
Hi!
I hope you are doing fine! sorry for the delay.
At this moment default decoders supoort other events types, as you mentioned Audit decoder and rule are focus on SYSCALL type event. link to default decoder.
Audit decoder file, wazuh/ruleset/decoders/0040-auditd_decoders.xml:
<decoder name="auditd">
<prematch>^type=</prematch>
</decoder>
<!-- ID -->
<decoder name="auditd-syscall">
<parent>auditd</parent>
<prematch offset="after_parent">^SYSCALL </prematch>
<regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.type,audit.id</order>
</decoder>
But also you can find decoders for type=PATH
<!-- PATH - DIRECTORY: mode=04* -->
<decoder name="auditd-syscall">
<parent>auditd</parent>
<regex offset="after_regex">type=PATH msg=audit\(\S+\): item=\S+ name="(\.+)" inode=(\S+) dev=\S+ mode=(04\S+) ouid=\S+ ogid=\S+ </regex>
<order>audit.directory.name, audit.directory.inode, audit.directory.mode</order>
</decoder>
testing it by wazuh-logtest tool
# /var/ossec/bin/wazuh-logtest
Type one log per line
type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
**Phase 1: Completed pre-decoding.
full event: 'type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0'
**Phase 2: Completed decoding.
name: 'auditd'
audit.gid: '0'
audit.id: '445'
audit.type: 'PATH'
**Phase 3: Completed filtering (rules).
id: '80700'
level: '0'
description: 'Audit: Messages grouped.'
groups: '['audit']'
firedtimes: '1'
mail: 'False'
It falls in rule 80700 wich is level 0, and rule isn't triggered. but you can create a rule to make it trigger an alert.
I did this custom rule as example, added to /var/ossec/etc/rules/local_rules.xml
<rule id="111000" level="3">
<if_sid>80700</if_sid>
<field name="audit.type">PATH</field>
<description>Audit: PATH</description>
<group>audit_watch_execute,gdpr_IV_30.1.g,</group>
</rule>
Testing it on wazuh-logtest
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
**Phase 1: Completed pre-decoding.
full event: 'type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0'
**Phase 2: Completed decoding.
name: 'auditd'
audit.gid: '0'
audit.id: '445'
audit.type: 'PATH'
**Phase 3: Completed filtering (rules).
id: '111000'
level: '3'
description: 'Audit: PATH'
groups: '['syscheckaudit_watch_execute']'
firedtimes: '1'
gdpr: '['IV_30.1.g']'
mail: 'False'
**Alert to be generated.
This is the way to create custom decoders and rules to capture and trigger events that you need.
Let me know if this information is useful to you!
Regards.
I hope you are doing fine! sorry for the delay.
At this moment default decoders supoort other events types, as you mentioned Audit decoder and rule are focus on SYSCALL type event. link to default decoder.
Audit decoder file, wazuh/ruleset/decoders/0040-auditd_decoders.xml:
<decoder name="auditd">
<prematch>^type=</prematch>
</decoder>
<!-- ID -->
<decoder name="auditd-syscall">
<parent>auditd</parent>
<prematch offset="after_parent">^SYSCALL </prematch>
<regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
<order>audit.type,audit.id</order>
</decoder>
But also you can find decoders for type=PATH
<!-- PATH - DIRECTORY: mode=04* -->
<decoder name="auditd-syscall">
<parent>auditd</parent>
<regex offset="after_regex">type=PATH msg=audit\(\S+\): item=\S+ name="(\.+)" inode=(\S+) dev=\S+ mode=(04\S+) ouid=\S+ ogid=\S+ </regex>
<order>audit.directory.name, audit.directory.inode, audit.directory.mode</order>
</decoder>
testing it by wazuh-logtest tool
# /var/ossec/bin/wazuh-logtest
Type one log per line
type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
full event: 'type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0'
**Phase 2: Completed decoding.
name: 'auditd'
audit.gid: '0'
audit.id: '445'
audit.type: 'PATH'
**Phase 3: Completed filtering (rules).
id: '80700'
level: '0'
description: 'Audit: Messages grouped.'
groups: '['audit']'
firedtimes: '1'
mail: 'False'
It falls in rule 80700 wich is level 0, and rule isn't triggered. but you can create a rule to make it trigger an alert.
I did this custom rule as example, added to /var/ossec/etc/rules/local_rules.xml
<rule id="111000" level="3">
<if_sid>80700</if_sid>
<field name="audit.type">PATH</field>
<description>Audit: PATH</description>
<group>audit_watch_execute,gdpr_IV_30.1.g,</group>
</rule>
Testing it on wazuh-logtest
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
full event: 'type=PATH msg=audit(1664370963.386:445): item=0 name="/etc/init.d/" inode=393271 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0'
**Phase 2: Completed decoding.
name: 'auditd'
audit.gid: '0'
audit.id: '445'
audit.type: 'PATH'
**Phase 3: Completed filtering (rules).
id: '111000'
level: '3'
description: 'Audit: PATH'
groups: '['syscheckaudit_watch_execute']'
firedtimes: '1'
gdpr: '['IV_30.1.g']'
mail: 'False'
**Alert to be generated.
This is the way to create custom decoders and rules to capture and trigger events that you need.
Let me know if this information is useful to you!
Regards.
Reply all
Reply to author
Forward
0 new messages