Beta (Comprehensive) Auditd Decoder

359 views
Skip to first unread message

Michael Starks

unread,
Jun 26, 2011, 10:48:11 AM6/26/11
to ossec...@googlegroups.com
Hello folks,

Some others have already written simple auditd decoders, but I decided
to take a stab at something comprehensive enough for inclusion into
release. It has been tested with a few supported types on logs from
CentOS 5.5 and Ubuntu 10.04 LTS. Auditd supports over 90 event types, so
obviously this only supports a small subset, but I think it should be a
good start for most situations.

Please try it out and let me know if your logs decode properly. Do the
extracted fields make sense? Any suggestions?

Here is the current rev (available for one month from the date of this
post): http://pastebin.com/8R6S5L1N

Thanks,
Mike

Michael Starks

unread,
Jun 27, 2011, 7:45:04 PM6/27/11
to ossec...@googlegroups.com
On 06/26/2011 09:48 AM, Michael Starks wrote:

> Here is the current rev (available for one month from the date of this
> post): http://pastebin.com/8R6S5L1N

Woops, copy and paste error. The auditd-path decoder should look this this:

<!-- path (will only decode if name is not null)-->
<decoder name="auditd-path">
<parent>auditd</parent>
<prematch offset="after_parent">^PATH </prematch>
<regex offset="after_parent">^(PATH)
msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)"
inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
<order>action,id,extra_data</order>
</decoder>

jplee3

unread,
Jul 13, 2011, 5:54:48 PM7/13/11
to ossec-list
Hey Michael,

Thanks for doing this. So this is what I get when I run ossec-logtest:

**Phase 1: Completed pre-decoding.
full event: 'type=USER_ACCT msg=audit(1310592861.936:1222):
user pid=24675 uid=0 auid=501 ses=188
subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting
acct="jplee3" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5
res=success)''
hostname: 'irprinfntp1'
program_name: '(null)'
log: 'type=USER_ACCT msg=audit(1310592861.936:1222): user
pid=24675 uid=0 auid=501 ses=188
subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting
acct="jplee3" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5
res=success)''

**Phase 2: Completed decoding.
decoder: 'auditd'
action: 'USER_ACCT'
id: '1222'
extra_data: '/usr/bin/sudo'
srcip: '?'
status: 'success'

I left out Phase 3 as I created an auditd based rule from the
simplified decoder I created prior. I guess I'm just curious about the
decoder that was identified in Phase 2. Shouldn't it have decoded my
log message as auditd-user?





On Jun 27, 4:45 pm, Michael Starks <ossec-l...@michaelstarks.com>
wrote:

Michael Starks

unread,
Jul 14, 2011, 4:33:50 PM7/14/11
to ossec...@googlegroups.com

You're not seeing auditd-user because ossec-logtest doesn't show the
child decoder. It looks like it decoded it properly, but it would be
more useful with the user. What distro is this from? I would like to
compare this with my samples to see why I may not have decoded the user.

--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com

Michael Starks

unread,
Jul 14, 2011, 4:48:47 PM7/14/11
to ossec...@googlegroups.com

On Wed, 13 Jul 2011 14:54:48 -0700 (PDT), jplee3 wrote:

> **Phase 2: Completed decoding.
> decoder: 'auditd'
> action: 'USER_ACCT'
> id: '1222'
> extra_data: '/usr/bin/sudo'
> srcip: '?'
> status: 'success'

I took a look at the decoder. Here's a version that will decode the
username for you: http://pastebin.com/UjzyvH46. Just replace the <!--
user-related --> section. I have to do some regression testing, but I
don't think it will break the other formats.

Dennis Golden

unread,
Jul 14, 2011, 6:16:45 PM7/14/11
to ossec...@googlegroups.com
I am upgrading to a new system and looking at the default useradd
command it is creating the ossec users in user space. Shouldn't this be
using the "-r" option to install in system user space?

Regards,

Dennis
--
Dennis Golden
Golden Consulting Services, Inc.

Michael Starks

unread,
Jul 15, 2011, 3:30:17 PM7/15/11
to ossec...@googlegroups.com

On Thu, 14 Jul 2011 17:16:45 -0500, Dennis Golden wrote:
> I am upgrading to a new system and looking at the default useradd
> command it is creating the ossec users in user space. Shouldn't this
> be
> using the "-r" option to install in system user space?

Seems like a good idea; I concur. But I wonder if -r would be pretty
standard across the nixes.

dan (ddp)

unread,
Jul 15, 2011, 4:13:37 PM7/15/11
to ossec...@googlegroups.com

-r requires 2 arguments, a high uid and a low uid.
Which high and which low will be free on every system out there?
Why not let the system decide? ;)

George Ochola

unread,
Jul 18, 2011, 9:07:23 AM7/18/11
to ossec...@googlegroups.com, ddp...@gmail.com
Hi All

I have configured OSSEC sever of an AIX5.3 box, i cant seem to get email
alerting to work

see below the ERROR , i am getting in the ossec.log


2011/07/18 15:31:35 os_sendmail(1764): WARN: Mail from not accepted by server
2011/07/18 15:31:35 ossec-maild(1223): ERROR: Error Sending email to 10.x.x.x (
smtp server)

Could someone help on how to fix this problem

Kind Regards

George Ochola

Christopher Moraes

unread,
Jul 18, 2011, 9:54:05 AM7/18/11
to ossec...@googlegroups.com
It seems like the mail server is validating the from address that you've configured.  Is the "from" address a valid address in your domain?
Reply all
Reply to author
Forward
0 new messages