From 5e868f8bba7babc5c6e7b87d519254bb73081ec6 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 8 Feb 2021 15:11:57 +0100 Subject: [PATCH] Update filebeat auditd module to ECS 1.8 (#23723) Update the auditd module in Filebeat to apply the same ECS enrichments as Auditbeat / go-libaudit. This is achieved by an autogenerated processor that performs the enrichments defined in go-libaudit's normalizations.yaml. --- CHANGELOG.next.asciidoc | 1 + filebeat/module/auditd/log/config/log.yml | 2 +- .../auditd/log/ingest/gen-ecs-mappings.py | 176 ++ .../module/auditd/log/ingest/pipeline.yml | 1828 ++++++++++++++++- .../test/audit-cent7-node.log-expected.json | 104 +- .../log/test/audit-rhel6.log-expected.json | 148 +- .../log/test/audit-rhel7.log-expected.json | 814 +++++++- .../test/audit-ubuntu1604.log-expected.json | 18 + filebeat/module/auditd/log/test/avc.log | 3 + .../auditd/log/test/avc.log-expected.json | 64 + .../auditd/log/test/test.log-expected.json | 85 +- filebeat/module/auditd/log/test/useradd.log | 8 + .../auditd/log/test/useradd.log-expected.json | 300 +++ 13 files changed, 3361 insertions(+), 190 deletions(-) create mode 100644 filebeat/module/auditd/log/ingest/gen-ecs-mappings.py create mode 100644 filebeat/module/auditd/log/test/avc.log create mode 100644 filebeat/module/auditd/log/test/avc.log-expected.json create mode 100644 filebeat/module/auditd/log/test/useradd.log create mode 100644 filebeat/module/auditd/log/test/useradd.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index bddf23cda64..897a8c415be 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -842,6 +842,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] - Add new ECS user and categories features to google_workspace/gsuite {issue}23118[23118] {pull}23709[23709] - Move crowdstrike JS processor to ingest pipelines and upgrade to ECS 1.8.0 {issue}23118[23118] {pull}23875[23875] +- Update Filebeat auditd dataset to ECS 1.8.0. {pull}23723[23723] {issue}23118[23118] *Heartbeat* diff --git a/filebeat/module/auditd/log/config/log.yml b/filebeat/module/auditd/log/config/log.yml index 6fcf0ab7a1f..2db4213af7b 100644 --- a/filebeat/module/auditd/log/config/log.yml +++ b/filebeat/module/auditd/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/filebeat/module/auditd/log/ingest/gen-ecs-mappings.py b/filebeat/module/auditd/log/ingest/gen-ecs-mappings.py new file mode 100644 index 00000000000..55dba388085 --- /dev/null +++ b/filebeat/module/auditd/log/ingest/gen-ecs-mappings.py @@ -0,0 +1,176 @@ +#!/usr/bin/env python3 + +# This script generates auditd to ECS mappings from github.com/elastic/go-libaudit +# +# Usage: ./gen-ecs-mappings.py ~/go/src/github.com/elastic/go-libaudit +# +# It will output to stdout the `params` section for the script processor in the ingest pipeline. +import copy +import os +import sys +import yaml +from collections import defaultdict +from shlex import quote +from subprocess import check_call, call, check_output + + +def extract_object(name: str, source: dict) -> dict: + r = {} + for k, v in source.items(): + if k == 'primary' or k == 'secondary': + r[name + '.' + k] = v + elif k == 'what' or k == 'path_index' or k == 'how': + pass + else: + raise Exception('Unexpected object key: ' + k) + return r + + +def map_object(instance: dict, context: str, mappings: dict): + for k, v in instance.items(): + if k not in mappings: + raise Exception('Unexpected key "{}" while parsing {}'.format(k, context)) + mappings[k](k, v) + + +def convert_mappings(m: dict) -> dict: + event = {} + objects = { + # Default values for subject (actor), may be overridden. + 'subject.primary': ['auid'], + 'subject.secondary': ['uid'], + } + extra = {} # TODO: Unused (sets client.ip) + mappings = [] + has_fields = [] + + def store_condition(k: str, v: list): + nonlocal has_fields + has_fields = v + + def store_event(k: str, v: list): + if not isinstance(v, list): + v = [v] + event[k] = v + + def ignore(k, v): + pass + + def make_store_field(name: str): + def store(k: str, v: any): + extra[name] = v + return store + + def store_ecs(k: str, v: dict): + def store_mappings(k: str, v: list): + if not isinstance(v, list): + raise Exception('ecs.mappings must be a list, not ' + repr(v)) + nonlocal mappings + mappings = v + + map_object(v, 'ecs', { + 'type': store_event, + 'category': store_event, + 'mappings': store_mappings, + }) + + def store_entity(basek: str, basev: dict): + def save(k: str, v: any): + if not isinstance(v, list): + v = [v] + objects[basek + '.' + k] = v + + map_object(basev, basek, { + **dict.fromkeys(['primary', 'secondary'], save), + **dict.fromkeys(['what', 'path_index'], ignore) + }) + + map_object(m, 'mapping', { + 'action': store_event, + 'ecs': store_ecs, + 'source_ip': make_store_field('source.ip'), + 'has_fields': store_condition, + **dict.fromkeys(['object', 'subject'], store_entity), + **dict.fromkeys(['syscalls', 'record_types', 'how', 'description'], ignore), + }) + d = { + 'event': event, + } + + if len(mappings) > 0: + d['copy'] = [] + for mp in mappings: + ref = mp['from'] + if ref in objects: + source = objects[ref] + else: + parts = ref.split('.') + if len(parts) != 2: + raise Exception("Don't know how to apply ecs mapping for {}".format(ref)) + if parts[0] == 'uid' or parts[0] == 'data': + source = [parts[1]] + else: + raise Exception("Don't know how to apply ecs mapping for {}".format(ref)) + d['copy'].append({ + 'from': source, + 'to': mp['to'] + }) + + if len(has_fields) > 0: + d['has_fields'] = has_fields + return d + + +class DefaultDict(defaultdict): + def __init__(self, factory): + super(DefaultDict, self).__init__(factory) + + def append(self, keys, obj): + if isinstance(keys, str): + keys = [keys] + for key in keys: + self[key].append(copy.deepcopy(obj)) + + +if __name__ == '__main__': + if len(sys.argv) != 2: + print('Usage: {} '.format(sys.argv[0])) + sys.exit(1) + repo_path = sys.argv[1] + if not os.path.isdir(repo_path): + raise Exception('Path to go-libaudit is not a directory: ' + repo_path) + git_path = repo_path + "/.git" + if not os.path.isdir(git_path): + raise Exception('go-libaudit directory doesn\'t contain a git repository: ' + git_path) + norms_path = repo_path + "/aucoalesce/normalizations.yaml" + if not os.path.isfile(norms_path): + raise Exception('go-libaudit repository doesn\'t contain the normalizations file: ' + norms_path) + revision = check_output('git --work-tree={} --git-dir={} describe --tags'.format(quote(repo_path), + quote(git_path)), shell=True).decode('utf8').strip() + with open(norms_path, 'r') as f: + norms = yaml.full_load(f) + types = DefaultDict(list) + syscalls = DefaultDict(list) + for entry in norms['normalizations']: + proto = convert_mappings(entry) + # TODO: Correctly check for emptyness (condition field?) + if len(proto) == 0: + continue + if 'syscalls' in entry: + syscalls.append(entry['syscalls'], proto) + + if 'record_types' in entry: + types.append(entry['record_types'], proto) + +if 'SYSCALL' in types: + raise Exception('SYSCALL cannot be specified in record_types') + +print('# Auditd record type to ECS mappings') +print('# AUTOGENERATED FROM go-libaudit {}, DO NOT EDIT'.format(revision)) +yaml.safe_dump({ + 'params': { + 'types': dict(types), + 'syscalls': dict(syscalls), + } +}, sys.stdout) +print('# END OF AUTOGENERATED') diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index e1c3e6ac621..826761837d5 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -27,18 +27,13 @@ processors: target_field: auditd.log - kv: field: auditd.log.sub_kv - field_split: "\\s+" + field_split: "\\s+(?=[^\\s]+=)" value_split: "=" target_field: auditd.log ignore_missing: true -- remove: - field: auditd.log.kv - ignore_failure: true -- remove: - field: auditd.log.sub_kv - ignore_failure: true -- remove: +- rename: field: message + target_field: event.original ignore_failure: true - date: field: auditd.log.epoch @@ -46,9 +41,6 @@ processors: formats: - UNIX ignore_failure: true -- remove: - field: auditd.log.epoch - ignore_failure: true - rename: ignore_failure: true field: auditd.log.old-auid @@ -179,83 +171,1743 @@ processors: - script: lang: painless ignore_failure: true + # Auditd record type to ECS mappings + # AUTOGENERATED FROM go-libaudit v2.2.0, DO NOT EDIT params: - CONFIG_CHANGE: - category: - - configuration - type: - - change - DAEMON_CONFIG: - category: - - configuration - type: - - change - DAEMON_RECONFIG: - category: - - configuration - type: - - info - FEATURE_CHANGE: - category: - - configuration - type: - - change - KERN_MODULE: - category: - - driver - type: - - info - MAC_CONFIG_CHANGE: - category: - - configuration - type: - - change - MAC_POLICY_LOAD: - category: - - configuration - type: - - access - MAC_STATUS: - category: - - configuration - type: - - change - NETFILTER_CFG: - category: - - configuration - type: - - change - SOFTWARE_UPDATE: - category: - - package - type: - - info - USER_AUTH: - category: - - authentication - type: - - info - USER_MAC_CONFIG_CHANGE: - category: - - configuration - type: - - change - USER_MAC_POLICY_LOAD: - category: - - configuration - type: - - acces - USYS_CONFIG: - category: - - configuration - type: - - change + syscalls: + '*': + - event: + category: + - process + type: + - info + accept: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + accept4: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + access: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + adjtimex: + - event: + action: + - changed-system-time + category: + - host + type: + - change + bind: + - event: + action: + - bound-socket + category: + - network + type: + - start + brk: + - event: + action: + - allocated-memory + category: + - process + type: + - info + chmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + chown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + clock_settime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + connect: + - event: + action: + - connected-to + category: + - network + type: + - connection + - start + creat: + - event: + action: + - opened-file + category: + - file + type: + - creation + delete_module: + - event: + action: + - unloaded-kernel-module + category: + - driver + type: + - end + execve: + - event: + action: + - executed + category: + - process + type: + - start + execveat: + - event: + action: + - executed + category: + - process + type: + - start + faccessat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fallocate: + - event: + action: + - opened-file + category: + - file + type: + - change + fchmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchmodat: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fchownat: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + finit_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + fremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + ftruncate: + - event: + action: + - opened-file + category: + - file + type: + - change + futimens: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + futimesat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + getxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + init_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + kill: + - event: + action: + - killed-pid + category: + - process + type: + - end + lchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + lgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + listen: + - event: + action: + - listen-for-connections + category: + - network + type: + - start + lremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + mkdir: + - event: + action: + - created-directory + category: + - file + type: + - creation + mkdirat: + - event: + action: + - created-directory + category: + - file + type: + - creation + mknod: + - event: + action: + - make-device + category: + - file + type: + - creation + mknodat: + - event: + action: + - make-device + category: + - file + type: + - creation + mmap: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mmap2: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mount: + - event: + action: + - mounted + category: + - file + type: + - creation + newfstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + open: + - event: + action: + - opened-file + category: + - file + type: + - info + openat: + - event: + action: + - opened-file + category: + - file + type: + - info + read: + - event: + action: + - read-file + category: + - file + type: + - info + readlink: + - event: + action: + - opened-file + category: + - file + type: + - info + readlinkat: + - event: + action: + - opened-file + category: + - file + type: + - info + recv: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvfrom: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + removexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + rename: + - event: + action: + - renamed + category: + - file + type: + - change + renameat: + - event: + action: + - renamed + category: + - file + type: + - change + renameat2: + - event: + action: + - renamed + category: + - file + type: + - change + rmdir: + - event: + action: + - deleted + category: + - file + type: + - deletion + sched_setattr: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setparam: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setscheduler: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + send: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendto: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + setdomainname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setegid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + seteuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + sethostname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setregid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setreuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + settimeofday: + - event: + action: + - changed-system-time + category: + - host + type: + - change + setuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + stat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + stat64: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + statfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + stime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + symlink: + - event: + action: + - symlinked + category: + - file + type: + - creation + symlinkat: + - event: + action: + - symlinked + category: + - file + type: + - creation + tgkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + tkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + truncate: + - event: + action: + - opened-file + category: + - file + type: + - change + umount: + - event: + action: + - unmounted + category: + - file + type: + - deletion + umount2: + - event: + action: + - unmounted + category: + - file + type: + - deletion + unlink: + - event: + action: + - deleted + category: + - file + type: + - deletion + unlinkat: + - event: + action: + - deleted + category: + - file + type: + - deletion + utime: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimensat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimes: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + write: + - event: + action: + - wrote-to-file + category: + - file + type: + - change + types: + ACCT_LOCK: + - event: + action: + - locked-account + category: + - iam + type: + - user + - info + ACCT_UNLOCK: + - event: + action: + - unlocked-account + category: + - iam + type: + - user + - info + ADD_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - added-group-account-to + category: + - iam + type: + - group + - creation + ADD_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - added-user-account + category: + - iam + type: + - user + - creation + ANOM_ABEND: + - event: + action: + - crashed-program + category: + - process + type: + - end + ANOM_EXEC: + - event: + action: + - attempted-execution-of-forbidden-program + category: + - process + type: + - start + ANOM_LINK: + - event: + action: + - used-suspicious-link + ANOM_LOGIN_FAILURES: + - event: + action: + - failed-log-in-too-many-times-to + ANOM_LOGIN_LOCATION: + - event: + action: + - attempted-log-in-from-unusual-place-to + ANOM_LOGIN_SESSIONS: + - event: + action: + - opened-too-many-sessions-to + ANOM_LOGIN_TIME: + - event: + action: + - attempted-log-in-during-unusual-hour-to + ANOM_PROMISCUOUS: + - event: + action: + - changed-promiscuous-mode-on-device + ANOM_RBAC_INTEGRITY_FAIL: + - event: + action: + - tested-file-system-integrity-of + AVC: + - event: + action: + - violated-selinux-policy + has_fields: + - seresult + - event: + action: + - violated-apparmor-policy + has_fields: + - apparmor + CHGRP_ID: + - event: + action: + - changed-group + category: + - process + type: + - change + CHUSER_ID: + - event: + action: + - changed-user-id + category: + - process + type: + - change + CONFIG_CHANGE: + - event: + action: + - changed-audit-configuration + category: + - process + - configuration + type: + - change + CRED_ACQ: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - acquired-credentials + category: + - authentication + type: + - info + CRED_DISP: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - disposed-credentials + category: + - authentication + type: + - info + CRED_REFR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - refreshed-credentials + category: + - authentication + type: + - info + CRYPTO_KEY_USER: + - event: + action: + - negotiated-crypto-key + category: + - process + type: + - info + CRYPTO_LOGIN: + - event: + action: + - crypto-officer-logged-in + CRYPTO_LOGOUT: + - event: + action: + - crypto-officer-logged-out + category: + - process + type: + - info + CRYPTO_SESSION: + - event: + action: + - started-crypto-session + category: + - process + type: + - info + DAC_CHECK: + - event: + action: + - access-result + DAEMON_ABORT: + - event: + action: + - aborted-auditd-startup + category: + - process + type: + - stop + DAEMON_ACCEPT: + - event: + action: + - remote-audit-connected + category: + - network + type: + - connection + - start + DAEMON_CLOSE: + - event: + action: + - remote-audit-disconnected + category: + - network + type: + - connection + - start + DAEMON_CONFIG: + - event: + action: + - changed-auditd-configuration + category: + - process + - configuration + type: + - change + DAEMON_END: + - event: + action: + - shutdown-audit + category: + - process + type: + - stop + DAEMON_ERR: + - event: + action: + - audit-error + category: + - process + type: + - info + DAEMON_RECONFIG: + - event: + action: + - reconfigured-auditd + category: + - process + - configuration + type: + - info + DAEMON_RESUME: + - event: + action: + - resumed-audit-logging + category: + - process + type: + - change + DAEMON_ROTATE: + - event: + action: + - rotated-audit-logs + category: + - process + type: + - change + DAEMON_START: + - event: + action: + - started-audit + category: + - process + type: + - start + DEL_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - deleted-group-account-from + category: + - iam + type: + - group + - deletion + DEL_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - deleted-user-account + category: + - iam + type: + - user + - deletion + FEATURE_CHANGE: + - event: + action: + - changed-audit-feature + category: + - configuration + type: + - change + FS_RELABEL: + - event: + action: + - relabeled-filesystem + GRP_AUTH: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + event: + action: + - authenticated-to-group + category: + - authentication + type: + - info + GRP_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: group + event: + action: + - changed-group-password + category: + - iam + type: + - group + - change + GRP_MGMT: + - copy: + - from: + - auid + to: user + - from: + - uid + to: group + - from: + - uid + to: user.effective + event: + action: + - modified-group-account + category: + - iam + type: + - group + - change + KERNEL: + - event: + action: + - initialized-audit-subsystem + category: + - process + type: + - info + KERN_MODULE: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + LABEL_LEVEL_CHANGE: + - event: + action: + - modified-level-of + LABEL_OVERRIDE: + - event: + action: + - overrode-label-of + LOGIN: + - copy: + - from: + - old_auid + - old-auid + to: user + - from: + - new-auid + - new_auid + - auid + to: user.effective + event: + action: + - changed-login-id-to + category: + - authentication + type: + - start + MAC_CHECK: + - event: + action: + - mac-permission + MAC_CONFIG_CHANGE: + - event: + action: + - changed-selinux-boolean + category: + - configuration + type: + - change + MAC_POLICY_LOAD: + - event: + action: + - loaded-selinux-policy + category: + - configuration + type: + - access + MAC_STATUS: + - event: + action: + - changed-selinux-enforcement + category: + - configuration + type: + - change + NETFILTER_CFG: + - event: + action: + - loaded-firewall-rule-to + category: + - configuration + type: + - change + ROLE_ASSIGN: + - event: + action: + - assigned-user-role-to + category: + - iam + type: + - user + - change + ROLE_MODIFY: + - event: + action: + - modified-role + category: + - iam + type: + - change + ROLE_REMOVE: + - event: + action: + - removed-user-role-from + category: + - iam + type: + - user + - change + SECCOMP: + - event: + action: + - violated-seccomp-policy + SELINUX_ERR: + - event: + action: + - caused-mac-policy-error + SERVICE_START: + - event: + action: + - started-service + category: + - process + type: + - start + SERVICE_STOP: + - event: + action: + - stopped-service + category: + - process + type: + - stop + SOFTWARE_UPDATE: + - event: + action: + - package-updated + category: + - package + type: + - info + SYSTEM_BOOT: + - event: + action: + - booted-system + category: + - host + type: + - start + SYSTEM_RUNLEVEL: + - event: + action: + - changed-to-runlevel + category: + - host + type: + - change + SYSTEM_SHUTDOWN: + - event: + action: + - shutdown-system + category: + - host + type: + - end + TEST: + - event: + action: + - sent-test + category: + - process + type: + - info + TRUSTED_APP: + - event: + action: + - unknown + category: + - process + type: + - info + TTY: + - event: + action: + - typed + USER: + - event: + action: + - sent-message + USER_ACCT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - was-authorized + category: + - authentication + type: + - info + USER_AUTH: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - authenticated + category: + - authentication + type: + - info + USER_AVC: + - event: + action: + - access-permission + USER_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: user.target + event: + action: + - changed-password + category: + - iam + type: + - user + - change + USER_CMD: + - event: + action: + - ran-command + category: + - process + type: + - start + USER_END: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - ended-session + category: + - session + type: + - end + USER_ERR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - error + category: + - authentication + type: + - info + USER_LOGIN: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-in + category: + - authentication + type: + - start + USER_LOGOUT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-out + category: + - authentication + type: + - end + USER_MAC_CONFIG_CHANGE: + - event: + action: + - changed-mac-configuration + category: + - configuration + type: + - change + USER_MAC_POLICY_LOAD: + - event: + action: + - loaded-mac-policy + category: + - configuration + type: + - access + USER_MGMT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.target + - from: + - uid + to: user.effective + event: + action: + - modified-user-account + category: + - iam + type: + - user + - change + USER_ROLE_CHANGE: + - event: + action: + - changed-role-to + USER_SELINUX_ERR: + - event: + action: + - access-error + USER_START: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - started-session + category: + - session + type: + - start + USER_TTY: + - event: + action: + - typed + USYS_CONFIG: + - event: + action: + - changed-configuration + category: + - configuration + type: + - change + VIRT_CONTROL: + - event: + action: + - issued-vm-control + category: + - host + type: + - info + VIRT_CREATE: + - event: + action: + - created-vm-image + category: + - host + type: + - info + VIRT_DESTROY: + - event: + action: + - deleted-vm-image + category: + - host + type: + - info + VIRT_INTEGRITY_CHECK: + - event: + action: + - checked-integrity-of + category: + - host + type: + - info + VIRT_MACHINE_ID: + - event: + action: + - assigned-vm-id + category: + - host + type: + - info + VIRT_MIGRATE_IN: + - event: + action: + - migrated-vm-from + category: + - host + type: + - info + VIRT_MIGRATE_OUT: + - event: + action: + - migrated-vm-to + category: + - host + type: + - info + VIRT_RESOURCE: + - event: + action: + - assigned-vm-resource + category: + - host + type: + - info + # END OF AUTOGENERATED source: >- - if (ctx?.auditd?.log.record_type == null) { + boolean hasFields(HashMap base, def list) { + if (list == null) return true; + for (int i=0; i ctx.event[k] = v); + HashMap base = ctx.auditd.log; + def acts = params.types.get(base.record_type); + if (acts == null && base.syscall != null) { + acts = params.syscalls.get(base?.syscall); + if (acts == null) acts = params.syscalls.get('*'); + } + if (acts == null) return; + def act = null; + for (int i=0; act == null && i ctx.event[k] = v); + } + if (act?.copy != null) { + List lst = new ArrayList(); + for(int i=0; i 0) { + ctx.auditd.log["copy"] = lst; + } + } +- foreach: + field: auditd.log.copy + ignore_missing: true + processor: + set: + field: "{{_ingest._value.target}}" + value: "{{_ingest._value.value}}" - set: if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.category @@ -499,6 +2151,14 @@ processors: field: source.as.organization_name target_field: source.as.organization.name ignore_missing: true +- remove: + field: + - auditd.log.kv + - auditd.log.sub_kv + - auditd.log.epoch + - auditd.log.copy + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json index c9d2b77a6e4..8debfbba37f 100644 --- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -5,15 +5,25 @@ "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64", "auditd.log.node": "localhost.localdomain", "auditd.log.op": "start", + "auditd.log.record_type": "DAEMON_START", "auditd.log.sequence": 4686, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:auditd_t:s0", "auditd.log.ver": "2.8.5", - "event.action": "daemon_start", + "event.action": [ + "started-audit" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=DAEMON_START msg=audit(1594053514.588:4686): op=start ver=2.8.5 format=raw kernel=3.10.0-1062.9.1.el7.x86_64 auid=4294967295 pid=1643 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, @@ -27,16 +37,21 @@ "auditd.log.audit_backlog_limit": "8192", "auditd.log.node": "localhost.localdomain", "auditd.log.old": "64", + "auditd.log.record_type": "CONFIG_CHANGE", "auditd.log.sequence": 4, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", - "event.action": "config_change", + "event.action": [ + "changed-audit-configuration" + ], "event.category": [ + "process", "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:4): audit_backlog_limit=8192 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1", "event.outcome": "1", "event.type": [ "change" @@ -52,16 +67,21 @@ "auditd.log.audit_failure": "1", "auditd.log.node": "localhost.localdomain", "auditd.log.old": "1", + "auditd.log.record_type": "CONFIG_CHANGE", "auditd.log.sequence": 5, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", - "event.action": "config_change", + "event.action": [ + "changed-audit-configuration" + ], "event.category": [ + "process", "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1", "event.outcome": "1", "event.type": [ "change" @@ -75,15 +95,25 @@ { "@timestamp": "2020-07-06T16:38:34.709Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 6, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "auditd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.709:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 606, @@ -97,14 +127,18 @@ { "@timestamp": "2020-07-06T16:38:34.725Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 7, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_boot", + "event.action": [ + "booted-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SYSTEM_BOOT msg=audit(1594053514.725:7): pid=1667 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -120,15 +154,25 @@ { "@timestamp": "2020-07-06T16:38:34.739Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 8, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-update-utmp", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.739:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1132, @@ -142,15 +186,25 @@ { "@timestamp": "2020-07-06T16:38:34.807Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 9, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "rngd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.807:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1401, @@ -164,15 +218,25 @@ { "@timestamp": "2020-07-06T16:38:34.843Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 10, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "irqbalance", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.843:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1655, @@ -186,15 +250,25 @@ { "@timestamp": "2020-07-06T16:38:34.850Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 11, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "abrtd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.850:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrtd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1916, @@ -208,15 +282,25 @@ { "@timestamp": "2020-07-06T16:38:34.857Z", "auditd.log.node": "localhost.localdomain", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 12, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "abrt-xorg", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.857:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrt-xorg comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2172, diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index d3c3a6561ab..215c0bf11f9 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -2,13 +2,24 @@ { "@timestamp": "2017-03-14T19:20:30.178Z", "auditd.log.op": "PAM:session_close", + "auditd.log.record_type": "USER_END", "auditd.log.sequence": 19600327, "auditd.log.ses": "11988", - "event.action": "user_end", + "auditd.log.uid": "0", + "event.action": [ + "ended-session" + ], + "event.category": [ + "session" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_END msg=audit(1489519230.178:19600327): user pid=4121 uid=0 auid=700 ses=11988 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "end" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, @@ -16,19 +27,31 @@ "process.pid": 4121, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { "@timestamp": "2017-03-14T19:20:30.178Z", "auditd.log.op": "PAM:setcred", + "auditd.log.record_type": "CRED_DISP", "auditd.log.sequence": 19600328, "auditd.log.ses": "11988", - "event.action": "cred_disp", + "auditd.log.uid": "0", + "event.action": [ + "disposed-credentials" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRED_DISP msg=audit(1489519230.178:19600328): user pid=4121 uid=0 auid=700 ses=11988 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 189, @@ -36,18 +59,29 @@ "process.pid": 4121, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { "@timestamp": "2017-03-14T19:20:56.192Z", + "auditd.log.record_type": "USER_CMD", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", - "event.action": "user_cmd", + "event.action": [ + "ran-command" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_CMD msg=audit(1489519256.192:19600329): user pid=4151 uid=497 auid=700 ses=11988 msg='cwd=\"/\" cmd=2F7573722F6C696236342F6E6167696F732F706C7567696E732F636865636B5F617374657269736B5F7369705F7065657273202D7020323032 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 373, @@ -66,13 +100,24 @@ { "@timestamp": "2017-03-14T19:20:56.193Z", "auditd.log.op": "PAM:setcred", + "auditd.log.record_type": "CRED_ACQ", "auditd.log.sequence": 19600330, "auditd.log.ses": "11988", - "event.action": "cred_acq", + "auditd.log.uid": "0", + "event.action": [ + "acquired-credentials" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRED_ACQ msg=audit(1489519256.193:19600330): user pid=4151 uid=0 auid=700 ses=11988 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 620, @@ -80,19 +125,31 @@ "process.pid": 4151, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { "@timestamp": "2017-03-14T19:20:56.193Z", "auditd.log.op": "PAM:session_open", + "auditd.log.record_type": "USER_START", "auditd.log.sequence": 19600331, "auditd.log.ses": "11988", - "event.action": "user_start", + "auditd.log.uid": "0", + "event.action": [ + "started-session" + ], + "event.category": [ + "session" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_START msg=audit(1489519256.193:19600331): user pid=4151 uid=0 auid=700 ses=11988 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 803, @@ -100,7 +157,8 @@ "process.pid": 4151, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root" }, { @@ -115,6 +173,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=MAC_IPSEC_EVENT msg=audit(1489519382.529:19600354): op=SPD-add auid=4294967295 ses=4294967295 res=1 src=10.100.0.0 src_prefixlen=16 dst=10.100.4.0 dst_prefixlen=22", "event.outcome": "1", "fileset.name": "log", "input.type": "log", @@ -137,9 +196,16 @@ "auditd.log.syscall": "44", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1489519382.529:19600354): arch=c000003e syscall=44 success=yes exit=184 a0=9 a1=7f564ee6d2a0 a2=b8 a3=0 items=0 ppid=1240 pid=1275 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"charon\" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -167,17 +233,29 @@ "auditd.log.new_ses": "12286", "auditd.log.old_auid": "700", "auditd.log.old_ses": "6793", + "auditd.log.record_type": "LOGIN", "auditd.log.sequence": 19623791, - "event.action": "login", + "auditd.log.uid": "0", + "event.action": [ + "changed-login-id-to" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=LOGIN msg=audit(1489636960.072:19623791): pid=28281 uid=0 old auid=700 new auid=700 old ses=6793 new ses=12286", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1524, "process.pid": 28281, "service.type": "auditd", - "user.id": "0" + "user.effective.id": "700", + "user.id": "700" }, { "@timestamp": "2017-03-16T04:02:40.070Z", @@ -186,15 +264,25 @@ "auditd.log.laddr": "107.170.139.210", "auditd.log.lport": 50022, "auditd.log.op": "destroy", + "auditd.log.record_type": "CRYPTO_KEY_USER", "auditd.log.rport": 58994, "auditd.log.sequence": 19623788, "auditd.log.ses": "6793", "auditd.log.spid": "28282", - "event.action": "crypto_key_user", + "event.action": [ + "negotiated-crypto-key" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=107.170.139.210 lport=50022 exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1640, @@ -220,15 +308,20 @@ { "@timestamp": "2017-03-16T04:02:40.072Z", "auditd.log.op": "success", + "auditd.log.record_type": "USER_AUTH", "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", - "event.action": "user_auth", + "auditd.log.uid": "0", + "event.action": [ + "authenticated" + ], "event.category": [ "authentication" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct=\"admin\" exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=ssh res=success'", "event.outcome": "success", "event.type": [ "info" @@ -252,22 +345,28 @@ "source.geo.region_name": "Virginia", "source.ip": "96.241.146.97", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "admin", + "user.id": "700", "user.name": "admin", "user.terminal": "ssh" }, { "@timestamp": "2017-03-16T04:02:57.804Z", "auditd.log.op": "PAM:authentication", + "auditd.log.record_type": "USER_AUTH", "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", - "event.action": "user_auth", + "auditd.log.uid": "0", + "event.action": [ + "authenticated" + ], "event.category": [ "authentication" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_AUTH msg=audit(1489636977.804:19623807): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=pts/0 res=success'", "event.outcome": "success", "event.type": [ "info" @@ -279,20 +378,32 @@ "process.pid": 28395, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root", "user.terminal": "pts/0" }, { "@timestamp": "2017-03-16T04:02:57.805Z", "auditd.log.op": "PAM:accounting", + "auditd.log.record_type": "USER_ACCT", "auditd.log.sequence": 19623808, "auditd.log.ses": "12286", - "event.action": "user_acct", + "auditd.log.uid": "0", + "event.action": [ + "was-authorized" + ], + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_ACCT msg=audit(1489636977.805:19623808): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=pts/0 res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2312, @@ -300,7 +411,8 @@ "process.pid": 28395, "service.type": "auditd", "user.audit.id": "700", - "user.id": "0", + "user.effective.name": "root", + "user.id": "700", "user.name": "root", "user.terminal": "pts/0" } diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 4d14263e10f..bd48d147b0c 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -3,14 +3,24 @@ "@timestamp": "2016-12-07T02:16:23.819Z", "auditd.log.format": "raw", "auditd.log.kernel": "3.10.0-327.36.3.el7.x86_64", + "auditd.log.record_type": "DAEMON_START", "auditd.log.sequence": 7798, "auditd.log.subj": "system_u:system_r:auditd_t:s0", "auditd.log.ver": "2.4.1", - "event.action": "daemon_start", + "event.action": [ + "started-audit" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=DAEMON_START msg=audit(1481076983.819:7798): auditd start, ver=2.4.1 format=raw kernel=3.10.0-327.36.3.el7.x86_64 auid=4294967295 pid=251 subj=system_u:system_r:auditd_t:s0 res=success", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, @@ -20,15 +30,25 @@ }, { "@timestamp": "2016-12-07T02:16:23.864Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 6, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "auditd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076983.864:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 190, @@ -41,14 +61,18 @@ }, { "@timestamp": "2016-12-07T02:16:23.876Z", + "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 7, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_boot", + "event.action": [ + "booted-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSTEM_BOOT msg=audit(1481076983.876:7): pid=273 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -63,15 +87,25 @@ }, { "@timestamp": "2016-12-07T02:16:23.879Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 8, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-update-utmp", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076983.879:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 661, @@ -84,15 +118,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.075Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 9, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-hwdb-update", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.075:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hwdb-update comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 903, @@ -105,15 +149,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.088Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 10, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-update-done", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.088:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-done comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1145, @@ -126,15 +180,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.163Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 11, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-udev-trigger", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.163:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-udev-trigger comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1388, @@ -147,15 +211,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.212Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 12, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "irqbalance", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.212:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1632, @@ -168,15 +242,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.521Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 13, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "avahi-daemon", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.521:13): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=avahi-daemon comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1866, @@ -189,15 +273,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.521Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 14, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "dbus", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.521:14): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2102, @@ -210,15 +304,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.526Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 15, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "rsyslog", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.526:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rsyslog comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2330, @@ -231,15 +335,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.534Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 16, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "irqbalance", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076984.534:16): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2561, @@ -254,15 +368,19 @@ "@timestamp": "2016-12-07T02:16:24.827Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 17, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.827:17): table=filter family=2 entries=0", "event.type": [ "change" ], @@ -285,9 +403,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.827:17): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=390 pid=391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -312,15 +437,19 @@ "@timestamp": "2016-12-07T02:16:24.858Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 18, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.858:18): table=raw family=2 entries=0", "event.type": [ "change" ], @@ -343,9 +472,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.858:18): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=395 pid=396 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -370,15 +506,19 @@ "@timestamp": "2016-12-07T02:16:24.870Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 19, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.870:19): table=security family=2 entries=0", "event.type": [ "change" ], @@ -401,9 +541,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.870:19): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=398 pid=399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -428,15 +575,19 @@ "@timestamp": "2016-12-07T02:16:24.877Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 20, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.877:20): table=mangle family=2 entries=0", "event.type": [ "change" ], @@ -459,9 +610,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.877:20): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=401 pid=402 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -486,15 +644,19 @@ "@timestamp": "2016-12-07T02:16:24.931Z", "auditd.log.entries": 0, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 21, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.931:21): table=nat family=2 entries=0", "event.type": [ "change" ], @@ -517,9 +679,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.931:21): arch=c000003e syscall=313 success=yes exit=0 a0=3 a1=41a15c a2=0 a3=3 items=0 ppid=406 pid=407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -542,15 +711,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.939Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 22, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "yum-cron", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.939:22): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=yum-cron comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 4785, @@ -563,15 +742,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.945Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 23, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "rhel-dmesg", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.945:23): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rhel-dmesg comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5017, @@ -584,15 +773,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.953Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 24, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "acpid", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.953:24): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=acpid comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5251, @@ -605,15 +804,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.954Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 25, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-user-sessions", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.954:25): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-user-sessions comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5480, @@ -626,15 +835,25 @@ }, { "@timestamp": "2016-12-07T02:16:24.960Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 26, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "ntpd", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076984.960:26): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ntpd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5725, @@ -649,15 +868,19 @@ "@timestamp": "2016-12-07T02:16:24.982Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 27, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076984.982:27): table=filter family=10 entries=0", "event.type": [ "change" ], @@ -680,9 +903,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076984.982:27): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=422 pid=423 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -705,15 +935,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.012Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 28, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "systemd-logind", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.012:28): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-logind comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 6353, @@ -726,15 +966,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.031Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 29, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "crond", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.031:29): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=crond comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 6591, @@ -747,15 +997,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.043Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 30, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "expand-root", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.043:30): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=expand-root comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 6820, @@ -768,15 +1028,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.044Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 31, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "expand-root", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.044:31): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=expand-root comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 7055, @@ -791,15 +1061,19 @@ "@timestamp": "2016-12-07T02:16:25.069Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 32, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.069:32): table=raw family=10 entries=0", "event.type": [ "change" ], @@ -822,9 +1096,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.069:32): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=439 pid=440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -847,15 +1128,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.104Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 33, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "sshd-keygen", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.104:33): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd-keygen comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 7686, @@ -870,15 +1161,19 @@ "@timestamp": "2016-12-07T02:16:25.099Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 34, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.099:34): table=security family=10 entries=0", "event.type": [ "change" ], @@ -901,9 +1196,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.099:34): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=445 pid=446 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -928,15 +1230,19 @@ "@timestamp": "2016-12-07T02:16:25.128Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 35, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.128:35): table=mangle family=10 entries=0", "event.type": [ "change" ], @@ -959,9 +1265,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.128:35): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=41a15c a2=0 a3=0 items=0 ppid=449 pid=450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -984,15 +1297,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.164Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 36, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.164:36): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 8723, @@ -1005,15 +1328,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.166Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 37, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.166:37): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 8960, @@ -1026,15 +1359,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.167Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 38, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-start", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.167:38): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-start comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9196, @@ -1047,15 +1390,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.168Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 39, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-start", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.168:39): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-start comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9434, @@ -1068,15 +1421,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.170Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 40, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit-wait", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.170:40): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit-wait comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9671, @@ -1089,15 +1452,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.170Z", + "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 41, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "plymouth-quit-wait", - "event.action": "service_stop", + "event.action": [ + "stopped-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_STOP msg=audit(1481076985.170:41): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=plymouth-quit-wait comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "stop" + ], "fileset.name": "log", "input.type": "log", "log.offset": 9913, @@ -1110,15 +1483,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.180Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 42, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "serial-getty@ttyS0", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.180:42): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=serial-getty@ttyS0 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 10154, @@ -1131,15 +1514,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.187Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 43, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "getty@tty1", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.187:43): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty1 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 10396, @@ -1154,15 +1547,19 @@ "@timestamp": "2016-12-07T02:16:25.191Z", "auditd.log.entries": 0, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 44, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.191:44): table=nat family=10 entries=0", "event.type": [ "change" ], @@ -1185,9 +1582,16 @@ "auditd.log.syscall": "313", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.191:44): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=41a15c a2=0 a3=1 items=0 ppid=452 pid=453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1210,15 +1614,25 @@ }, { "@timestamp": "2016-12-07T02:16:25.511Z", + "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 45, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "auditd.log.unit": "firewalld", - "event.action": "service_start", + "event.action": [ + "started-service" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SERVICE_START msg=audit(1481076985.511:45): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=firewalld comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 11027, @@ -1233,15 +1647,19 @@ "@timestamp": "2016-12-07T02:16:25.528Z", "auditd.log.entries": 5, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 46, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.528:46): table=nat family=2 entries=5", "event.type": [ "change" ], @@ -1264,9 +1682,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.528:46): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=25be720 items=0 ppid=296 pid=476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1291,15 +1716,19 @@ "@timestamp": "2016-12-07T02:16:25.532Z", "auditd.log.entries": 5, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 47, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.532:47): table=nat family=2 entries=5", "event.type": [ "change" ], @@ -1322,9 +1751,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.532:47): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1819720 items=0 ppid=296 pid=478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1349,15 +1785,19 @@ "@timestamp": "2016-12-07T02:16:25.534Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 48, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.534:48): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -1380,9 +1820,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.534:48): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=13d0850 items=0 ppid=296 pid=479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1407,15 +1854,19 @@ "@timestamp": "2016-12-07T02:16:25.537Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 49, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.537:49): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -1438,9 +1889,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.537:49): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1125850 items=0 ppid=296 pid=481 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1465,15 +1923,19 @@ "@timestamp": "2016-12-07T02:16:25.538Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 50, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.538:50): table=security family=2 entries=4", "event.type": [ "change" ], @@ -1496,9 +1958,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.538:50): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=20a3600 items=0 ppid=296 pid=482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1523,15 +1992,19 @@ "@timestamp": "2016-12-07T02:16:25.542Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 51, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.542:51): table=security family=2 entries=4", "event.type": [ "change" ], @@ -1554,9 +2027,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.542:51): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=9f0600 items=0 ppid=296 pid=484 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1581,15 +2061,19 @@ "@timestamp": "2016-12-07T02:16:25.543Z", "auditd.log.entries": 3, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 52, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.543:52): table=raw family=2 entries=3", "event.type": [ "change" ], @@ -1612,9 +2096,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.543:52): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=232e4d0 items=0 ppid=296 pid=485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1639,15 +2130,19 @@ "@timestamp": "2016-12-07T02:16:25.546Z", "auditd.log.entries": 3, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 53, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.546:53): table=raw family=2 entries=3", "event.type": [ "change" ], @@ -1670,9 +2165,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.546:53): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=14404d0 items=0 ppid=296 pid=487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1697,15 +2199,19 @@ "@timestamp": "2016-12-07T02:16:25.548Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 54, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.548:54): table=filter family=2 entries=4", "event.type": [ "change" ], @@ -1728,9 +2234,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.548:54): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=c31600 items=0 ppid=296 pid=488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1755,15 +2268,19 @@ "@timestamp": "2016-12-07T02:16:25.552Z", "auditd.log.entries": 4, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 55, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.552:55): table=filter family=2 entries=4", "event.type": [ "change" ], @@ -1786,9 +2303,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.552:55): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=143a600 items=0 ppid=296 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1813,15 +2337,19 @@ "@timestamp": "2016-12-07T02:16:25.553Z", "auditd.log.entries": 5, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 56, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.553:56): table=nat family=10 entries=5", "event.type": [ "change" ], @@ -1844,9 +2372,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.553:56): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=109b880 items=0 ppid=296 pid=491 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1871,15 +2406,19 @@ "@timestamp": "2016-12-07T02:16:25.556Z", "auditd.log.entries": 5, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 57, "auditd.log.table": "nat", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.556:57): table=nat family=10 entries=5", "event.type": [ "change" ], @@ -1902,9 +2441,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.556:57): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=b53880 items=0 ppid=296 pid=493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1929,15 +2475,19 @@ "@timestamp": "2016-12-07T02:16:25.557Z", "auditd.log.entries": 6, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 58, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.557:58): table=mangle family=10 entries=6", "event.type": [ "change" ], @@ -1960,9 +2510,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.557:58): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=17b09e0 items=0 ppid=296 pid=494 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -1987,15 +2544,19 @@ "@timestamp": "2016-12-07T02:16:25.560Z", "auditd.log.entries": 6, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 59, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.560:59): table=mangle family=10 entries=6", "event.type": [ "change" ], @@ -2018,9 +2579,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.560:59): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=25cc9e0 items=0 ppid=296 pid=496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2045,15 +2613,19 @@ "@timestamp": "2016-12-07T02:16:25.562Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 60, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.562:60): table=security family=10 entries=4", "event.type": [ "change" ], @@ -2076,9 +2648,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.562:60): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=14db720 items=0 ppid=296 pid=497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2103,15 +2682,19 @@ "@timestamp": "2016-12-07T02:16:25.566Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 61, "auditd.log.table": "security", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.566:61): table=security family=10 entries=4", "event.type": [ "change" ], @@ -2134,9 +2717,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.566:61): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=9d2720 items=0 ppid=296 pid=499 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2161,15 +2751,19 @@ "@timestamp": "2016-12-07T02:16:25.569Z", "auditd.log.entries": 3, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 62, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.569:62): table=raw family=10 entries=3", "event.type": [ "change" ], @@ -2192,9 +2786,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.569:62): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=fae5c0 items=0 ppid=296 pid=500 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2219,15 +2820,19 @@ "@timestamp": "2016-12-07T02:16:25.573Z", "auditd.log.entries": 3, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 63, "auditd.log.table": "raw", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.573:63): table=raw family=10 entries=3", "event.type": [ "change" ], @@ -2250,9 +2855,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.573:63): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=19545c0 items=0 ppid=296 pid=502 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2277,15 +2889,19 @@ "@timestamp": "2016-12-07T02:16:25.575Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 64, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.575:64): table=filter family=10 entries=4", "event.type": [ "change" ], @@ -2308,9 +2924,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.575:64): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=23a3720 items=0 ppid=296 pid=503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2335,15 +2958,19 @@ "@timestamp": "2016-12-07T02:16:25.578Z", "auditd.log.entries": 4, "auditd.log.family": "10", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 65, "auditd.log.table": "filter", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.578:65): table=filter family=10 entries=4", "event.type": [ "change" ], @@ -2366,9 +2993,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.578:65): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=29 a2=40 a3=162d720 items=0 ppid=296 pid=505 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ip6tables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2393,15 +3027,19 @@ "@timestamp": "2016-12-07T02:16:25.580Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 66, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.580:66): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2424,9 +3062,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.580:66): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=14b0850 items=0 ppid=296 pid=506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2451,15 +3096,19 @@ "@timestamp": "2016-12-07T02:16:25.582Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 67, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.582:67): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2482,9 +3131,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.582:67): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=2398850 items=0 ppid=296 pid=507 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2509,15 +3165,19 @@ "@timestamp": "2016-12-07T02:16:25.583Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 68, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.583:68): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2540,9 +3200,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.583:68): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=2679850 items=0 ppid=296 pid=508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2567,15 +3234,19 @@ "@timestamp": "2016-12-07T02:16:25.585Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 69, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.585:69): table=mangle family=2 entries=6", "event.type": [ "change" ], @@ -2598,9 +3269,16 @@ "auditd.log.syscall": "54", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1481076985.585:69): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=1715850 items=0 ppid=296 pid=509 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-multi\" subj=system_u:system_r:iptables_t:s0 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -2625,15 +3303,19 @@ "@timestamp": "2016-12-07T02:16:25.587Z", "auditd.log.entries": 6, "auditd.log.family": "2", + "auditd.log.record_type": "NETFILTER_CFG", "auditd.log.sequence": 70, "auditd.log.table": "mangle", - "event.action": "netfilter_cfg", + "event.action": [ + "loaded-firewall-rule-to" + ], "event.category": [ "configuration" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=NETFILTER_CFG msg=audit(1481076985.587:70): table=mangle family=2 entries=6", "event.type": [ "change" ], diff --git a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json index 3fb44f8934a..c888d8d3c73 100644 --- a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json @@ -13,9 +13,16 @@ "auditd.log.syscall": "43", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1492752520.441:8832): arch=c000003e syscall=43 success=yes exit=5 a0=3 a1=7ffd0dc80040 a2=7ffd0dc7ffd0 a3=0 items=0 ppid=1 pid=1663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=\"key=net\"", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -45,6 +52,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SOCKADDR msg=audit(1492752520.441:8832): saddr=0200E31C4853E6640000000000000000", "fileset.name": "log", "input.type": "log", "log.offset": 300, @@ -58,6 +66,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1492752520.441:8832): proctitle=\"(sshd)\"", "fileset.name": "log", "input.type": "log", "log.offset": 385, @@ -77,9 +86,16 @@ "auditd.log.syscall": "42", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1492753107.096:9004): arch=c000003e syscall=42 success=no exit=-115 a0=5 a1=7ffc12ac3ab0 a2=10 a3=4 items=0 ppid=1 pid=1648 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"google_ip_forwa\" exe=\"/usr/bin/python3.5\" key=\"key=net\"", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -109,6 +125,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SOCKADDR msg=audit(1492753107.096:9004): saddr=02000050A9FEA9FE0000000000000000", "fileset.name": "log", "input.type": "log", "log.offset": 758, @@ -122,6 +139,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1492753107.096:9004): proctitle=\"(g_daemon)\"", "fileset.name": "log", "input.type": "log", "log.offset": 843, diff --git a/filebeat/module/auditd/log/test/avc.log b/filebeat/module/auditd/log/test/avc.log new file mode 100644 index 00000000000..04443e4c0ca --- /dev/null +++ b/filebeat/module/auditd/log/test/avc.log @@ -0,0 +1,3 @@ +type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file +type=AVC msg=audit(1524662933.080:61207): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=5571 comm="metricbeat" requested_mask="trace" denied_mask="trace" peer="unconfined" +type=AVC msg=audit(1524662933.080:61207): seresult=1 diff --git a/filebeat/module/auditd/log/test/avc.log-expected.json b/filebeat/module/auditd/log/test/avc.log-expected.json new file mode 100644 index 00000000000..3179d7f8b09 --- /dev/null +++ b/filebeat/module/auditd/log/test/avc.log-expected.json @@ -0,0 +1,64 @@ +[ + { + "@timestamp": "2008-11-16T22:21:13.147Z", + "auditd.log.dev": "dm-0", + "auditd.log.ino": "284133", + "auditd.log.path": "/var/www/html/file1", + "auditd.log.scontext": "unconfined_u:system_r:httpd_t:s0", + "auditd.log.sequence": 96, + "auditd.log.tclass": "file", + "auditd.log.tcontext": "unconfined_u:object_r:samba_share_t:s0", + "event.action": "avc", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm=\"httpd\" path=\"/var/www/html/file1\" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "process.name": "httpd", + "process.pid": 2465, + "service.type": "auditd" + }, + { + "@timestamp": "2018-04-25T13:28:53.080Z", + "auditd.log.apparmor": "DENIED", + "auditd.log.denied_mask": "trace", + "auditd.log.operation": "ptrace", + "auditd.log.peer": "unconfined", + "auditd.log.profile": "docker-default", + "auditd.log.record_type": "AVC", + "auditd.log.requested_mask": "trace", + "auditd.log.sequence": 61207, + "event.action": [ + "violated-apparmor-policy" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=AVC msg=audit(1524662933.080:61207): apparmor=\"DENIED\" operation=\"ptrace\" profile=\"docker-default\" pid=5571 comm=\"metricbeat\" requested_mask=\"trace\" denied_mask=\"trace\" peer=\"unconfined\"", + "fileset.name": "log", + "input.type": "log", + "log.offset": 241, + "process.name": "metricbeat", + "process.pid": 5571, + "service.type": "auditd" + }, + { + "@timestamp": "2018-04-25T13:28:53.080Z", + "auditd.log.record_type": "AVC", + "auditd.log.sequence": 61207, + "auditd.log.seresult": "1", + "event.action": [ + "violated-selinux-policy" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=AVC msg=audit(1524662933.080:61207): seresult=1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 433, + "service.type": "auditd" + } +] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 8eb1b61a43e..48caa4ae6c5 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -11,6 +11,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=MAC_IPSEC_EVENT msg=audit(1485893834.891:18877201): op=SPD-delete auid=4294967295 ses=4294967295 res=1 src=192.168.2.0 src_prefixlen=24 dst=192.168.0.0 dst_prefixlen=16", "event.outcome": "1", "fileset.name": "log", "input.type": "log", @@ -33,9 +34,16 @@ "auditd.log.syscall": "44", "auditd.log.tty": "(none)", "event.action": "syscall", + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1485893834.891:18877199): arch=c000003e syscall=44 success=yes exit=184 a0=9 a1=7f564b2672a0 a2=b8 a3=0 items=0 ppid=1240 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"charon\" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)", + "event.type": [ + "info" + ], "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -59,13 +67,23 @@ }, { "@timestamp": "2017-03-14T19:20:56.192Z", + "auditd.log.record_type": "USER_CMD", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", - "event.action": "user_cmd", + "event.action": [ + "ran-command" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=USER_CMD msg=audit(1489519256.192:19600329): user pid=4151 uid=497 auid=700 ses=11988 msg='cwd=\"/\" cmd=2F7573722F6C696236342F6E6167696F732F706C7567696E732F636865636B5F617374657269736B5F7369705F7065657273202D7020323032 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "input.type": "log", "log.offset": 536, @@ -90,16 +108,26 @@ "auditd.log.lport": 22, "auditd.log.op": "start", "auditd.log.pfs": "curve25519-sha256@libssh.org", + "auditd.log.record_type": "CRYPTO_SESSION", "auditd.log.rport": 63927, "auditd.log.sequence": 406, "auditd.log.ses": "4294967295", "auditd.log.spid": "1299", "auditd.log.subj": "system_u:system_r:sshd_t:s0-s0:c0.c1023", - "event.action": "crypto_session", + "event.action": [ + "started-crypto-session" + ], + "event.category": [ + "process" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22 exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=? res=success'", "event.outcome": "success", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 783, @@ -127,12 +155,16 @@ "auditd.log.data": "eh^?^?echo test^Mvim /etc/pam.d/password-auth-ac^Mman pam_tty_audit^Mman pam.d^Mvim /etc^Asudo ^E/pamd.sy^?^?^?^?^?.^?m.d/sy^I-a^Ia^?-a^I^Mman pam^Mt^?grep sys^?^?^?/var/lo^Ig/me^Is^I | grep pam_tty^Mgrep pam_tty /var/log/mes^I^M^[[A^Asudo ^Msudo su^M", "auditd.log.major": "136", "auditd.log.minor": "0", + "auditd.log.record_type": "TTY", "auditd.log.sequence": 1065565, "auditd.log.ses": "762", - "event.action": "tty", + "event.action": [ + "typed" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=TTY msg=audit(1491924063.550:1065565): tty pid=27930 uid=1000 auid=1000 ses=762 major=136 minor=0 comm=\"bash\" data=65687F7F6563686F20746573740D76696D202F6574632F70616D2E642F70617373776F72642D617574682D61630D6D616E2070616D5F7474795F61756469740D6D616E2070616D2E640D76696D202F657463017375646F20052F70616D642E73797F7F7F7F7F2E7F6D2E642F7379092D6109617F2D61090D6D616E2070616D0D747F67726570207379737F7F7F2F7661722F6C6F09672F6D65097309207C20677265702070616D5F7474790D677265702070616D5F747479202F7661722F6C6F672F6D6573090D1B5B41017375646F200D7375646F2073750D", "fileset.name": "log", "input.type": "log", "log.offset": 1178, @@ -150,6 +182,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1451781471.394:194438): proctitle=\"bash\"", "fileset.name": "log", "input.type": "log", "log.offset": 1733, @@ -163,6 +196,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D", "fileset.name": "log", "input.type": "log", "log.offset": 1799, @@ -172,19 +206,23 @@ "@timestamp": "2019-11-15T19:01:24.309Z", "auditd.log.gpg_res": "1", "auditd.log.key_enforce": "0", + "auditd.log.record_type": "SOFTWARE_UPDATE", "auditd.log.root_dir": "/", "auditd.log.sequence": 785, "auditd.log.ses": "3", "auditd.log.subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", - "event.action": "software_update", + "event.action": [ + "package-updated" + ], "event.category": [ "package" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SOFTWARE_UPDATE msg=audit(1573844484.309:785): pid=3157 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw=\"gcc-4.8.5-39.el7.x86_64\" sw_type=rpm key_enforce=0 gpg_res=1 root_dir=\"/\" comm=\"yum\" exe=\"/usr/bin/python2.7\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": [ "info" @@ -201,14 +239,18 @@ }, { "@timestamp": "2019-11-15T19:00:56.144Z", + "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 5, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_boot", + "event.action": [ + "booted-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSTEM_BOOT msg=audit(1573844456.144:5): pid=678 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -223,14 +265,18 @@ }, { "@timestamp": "2019-11-15T19:01:57.054Z", + "auditd.log.record_type": "SYSTEM_SHUTDOWN", "auditd.log.sequence": 1163, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", - "event.action": "system_shutdown", + "event.action": [ + "shutdown-system" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSTEM_SHUTDOWN msg=audit(1573844517.054:1163): pid=4440 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "info", "fileset.name": "log", @@ -251,6 +297,7 @@ "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=EXECVE msg=audit(1581371984.206:579393): argc=1 a0=top", "fileset.name": "log", "input.type": "log", "log.offset": 2688, @@ -264,17 +311,21 @@ "auditd.log.a2": "0x1fd4640", "auditd.log.a3": "0x7ffc6939f360", "auditd.log.items": "2", + "auditd.log.record_type": "SYSCALL", "auditd.log.sequence": 579398, "auditd.log.ses": "2", "auditd.log.subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", "auditd.log.success": "yes", "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", - "event.action": "syscall", + "event.action": [ + "executed" + ], "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=SYSCALL msg=audit(1581371984.206:579398): arch=x86_64 syscall=execve success=yes exit=0 a0=0x1fd05c0 a1=0x1fd2730 a2=0x1fd4640 a3=0x7ffc6939f360 items=2 ppid=2563 pid=2614 auid=vagrant uid=vagrant gid=vagrant euid=vagrant suid=vagrant fsuid=vagrant egid=vagrant sgid=vagrant fsgid=vagrant tty=pts0 ses=2 comm=top exe=/usr/bin/top subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)", "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", @@ -299,16 +350,20 @@ { "@timestamp": "2020-02-10T21:59:44.206Z", "auditd.log.name": "mymodule", + "auditd.log.record_type": "KERN_MODULE", "auditd.log.sequence": 579397, - "event.action": "kern_module", + "event.action": [ + "loaded-kernel-module" + ], "event.category": [ "driver" ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=KERN_MODULE msg=audit(1581371984.206:579397): name=mymodule", "event.type": [ - "info" + "start" ], "fileset.name": "log", "input.type": "log", @@ -319,14 +374,18 @@ "@timestamp": "2017-12-17T10:44:41.075Z", "auditd.log.op": "create", "auditd.log.reason": "api", + "auditd.log.record_type": "VIRT_CONTROL", "auditd.log.sequence": 145, "auditd.log.ses": "3", "auditd.log.subj": "system_u:system_r:container_runtime_t:s0", - "event.action": "virt_control", + "event.action": [ + "issued-vm-control" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=VIRT_CONTROL msg=audit(1513507481.075:145): pid=1431 uid=0 auid=100 ses=3 subj=system_u:system_r:container_runtime_t:s0 msg='user=root reason=api op=create vm=? vm-pid=? hostname=? exe=\"/usr/bin/dockerd-current\" addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "creation", "fileset.name": "log", @@ -343,6 +402,7 @@ "@timestamp": "2016-12-16T15:45:43.572Z", "auditd.log.img-ctx": "system_u:object_r:svirt_image_t:s0:c444,c977", "auditd.log.model": "selinux", + "auditd.log.record_type": "VIRT_MACHINE_ID", "auditd.log.sequence": 23118, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:virtd_t:s0-s0:c0.c1023", @@ -352,11 +412,14 @@ "auditd.log.vm-ctx": "system_u:system_r:svirt_t:s0:c444,c977", "container.name": "rhel-work3", "container.runtime": "kvm", - "event.action": "virt_machine_id", + "event.action": [ + "assigned-vm-id" + ], "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.original": "type=VIRT_MACHINE_ID msg=audit(1481903143.572:23118): pid=5637 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm=\"rhel-work3\" uuid=5501263b-181d-47ed-ab03-a6066f3d26bf vm-ctx=system_u:system_r:svirt_t:s0:c444,c977 img-ctx=system_u:object_r:svirt_image_t:s0:c444,c977 model=selinux exe=\"/usr/sbin/libvirtd\" hostname=? addr=? terminal=? res=success'", "event.outcome": "success", "event.type": "creation", "fileset.name": "log", diff --git a/filebeat/module/auditd/log/test/useradd.log b/filebeat/module/auditd/log/test/useradd.log new file mode 100644 index 00000000000..3f99f5e3b41 --- /dev/null +++ b/filebeat/module/auditd/log/test/useradd.log @@ -0,0 +1,8 @@ +type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe="/usr/sbin/groupadd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe="/usr/sbin/useradd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe="/sbin/pam_tally2" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success' +type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct="charlie" exe="/usr/bin/passwd" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct="root" exe="/usr/bin/chfn" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' +type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct="root" exe="/usr/bin/chfn" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success' diff --git a/filebeat/module/auditd/log/test/useradd.log-expected.json b/filebeat/module/auditd/log/test/useradd.log-expected.json new file mode 100644 index 00000000000..3eb42fe0a86 --- /dev/null +++ b/filebeat/module/auditd/log/test/useradd.log-expected.json @@ -0,0 +1,300 @@ +[ + { + "@timestamp": "2021-01-17T17:12:33.686Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.op": "adding group to /etc/group", + "auditd.log.record_type": "ADD_GROUP", + "auditd.log.sequence": 584, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-group-account-to" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "log", + "group.id": "1004", + "input.type": "log", + "log.offset": 0, + "process.executable": "/usr/sbin/groupadd", + "process.pid": 2940, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.710Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.op": "adding group to /etc/gshadow", + "auditd.log.record_type": "ADD_GROUP", + "auditd.log.sequence": 586, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-group-account-to" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "log", + "group.id": "1004", + "input.type": "log", + "log.offset": 212, + "process.executable": "/usr/sbin/groupadd", + "process.pid": 2940, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.710Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.record_type": "ADD_GROUP", + "auditd.log.sequence": 587, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-group-account-to" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "log", + "group.id": "1004", + "input.type": "log", + "log.offset": 426, + "process.executable": "/usr/sbin/groupadd", + "process.pid": 2940, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.730Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.id": "1004", + "auditd.log.op": "adding user", + "auditd.log.record_type": "ADD_USER", + "auditd.log.sequence": 591, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "added-user-account" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 612, + "process.executable": "/usr/sbin/useradd", + "process.pid": 2945, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.target.id": "1004", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:33.814Z", + "auditd.log.hostname": "localhost", + "auditd.log.record_type": "USER_ACCT", + "auditd.log.reset": "0", + "auditd.log.sequence": 593, + "auditd.log.ses": "14", + "auditd.log.uid": [ + "0", + "1004" + ], + "event.action": [ + "was-authorized" + ], + "event.category": [ + "authentication" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 807, + "process.executable": "/sbin/pam_tally2", + "process.pid": 2948, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.id": "1000", + "user.terminal": "/dev/pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:38.174Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.op": "PAM:chauthtok", + "auditd.log.record_type": "USER_CHAUTHTOK", + "auditd.log.sequence": 594, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "changed-password" + ], + "event.category": [ + "iam" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "user", + "change" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 1008, + "process.executable": "/usr/bin/passwd", + "process.pid": 2953, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.id": "0", + "user.id": "1000", + "user.name": "charlie", + "user.target.name": "charlie", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:38.178Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.op": "PAM:authentication", + "auditd.log.record_type": "USER_AUTH", + "auditd.log.sequence": 595, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "authenticated" + ], + "event.category": [ + "authentication" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 1216, + "process.executable": "/usr/bin/chfn", + "process.pid": 2954, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "root", + "user.terminal": "pts/2" + }, + { + "@timestamp": "2021-01-17T17:12:38.178Z", + "auditd.log.hostname": "ubuntu-bionic", + "auditd.log.op": "PAM:accounting", + "auditd.log.record_type": "USER_ACCT", + "auditd.log.sequence": 596, + "auditd.log.ses": "14", + "auditd.log.uid": "0", + "event.action": [ + "was-authorized" + ], + "event.category": [ + "authentication" + ], + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.original": "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", + "event.outcome": "success", + "event.type": [ + "info" + ], + "fileset.name": "log", + "input.type": "log", + "log.offset": 1419, + "process.executable": "/usr/bin/chfn", + "process.pid": 2954, + "service.type": "auditd", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "user.audit.id": "1000", + "user.effective.name": "root", + "user.id": "1000", + "user.name": "root", + "user.terminal": "pts/2" + } +] \ No newline at end of file