-
Notifications
You must be signed in to change notification settings - Fork 71
/
normalizations.yaml
1753 lines (1704 loc) · 53.9 KB
/
normalizations.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
# Macros declares some YAML anchors that can be referenced for some common
# object type normalizations like user-session, socket, or process.
macros:
- ¯o-user-session
subject_primary: auid
subject_secondary: [acct, id, uid]
object_primary: terminal
object_secondary: [addr, hostname]
object_what: user-session
how: [exe, terminal]
- &ecs-iam
category: iam
type: info
- &ecs-auth
category: authentication
type: info
mappings:
- from: subject.primary
to: user
- from: subject.secondary
to: user.effective
- &ecs-session
category: session
type: info
mappings:
- from: subject.primary
to: user
- from: subject.secondary
to: user.effective
- &ecs-host
category: host
type: info
- &ecs-process
category: process
type: info
- &ecs-file
category: file
type: info
- &ecs-driver
category: driver
type: info
- &ecs-network
category: network
type:
- connection
- info
- &ecs-user-modification-mappings
mappings:
- from: subject.primary
to: user
- from: subject.secondary
to: user.effective
- from: object.primary
to: user.target
- &ecs-group-modification-mappings
mappings:
- from: subject.primary
to: user
- from: subject.secondary
to: user.effective
- from: object.primary
to: group
# Normalizations is a list of declarations specifying how to normalize the data
# contained in an event. The normalization can be applied based on the syscall
# name (e.g. connect, open) or based on the record type (e.g. USER_LOGIN).
# No two normalizations can apply to the same syscall or record type. This
# will result in a failure at load time.
#
# Each normalization should specify:
# action - what happened
# actor - who did this or who triggered the event
# object - what was the "thing" involved in the action (e.g. process, socket)
# how - how was the action performed (e.g. exe or terminal)
normalizations:
- ecs: *ecs-process
syscalls:
- '*' # this is a catch all
- action: opened-file
object_what: file
syscalls:
# creat - open and possibly create a file
- creat
ecs:
<<: *ecs-file
type: creation
- action: opened-file
object_what: file
syscalls:
# fallocate - manipulate file space
- fallocate
# truncate - truncate a file to a specified length
- truncate
# ftruncate - truncate a file to a specified length
- ftruncate
ecs:
<<: *ecs-file
# technically you can truncate a file to the same length
# but regardless, we consider this a change
type: change
- action: opened-file
object_what: file
syscalls:
# open - open and possibly create a file
- open
# openat - open and possibly create a file
- openat
# readlink - read value of a symbolic link
- readlink
# readlinkat - read value of a symbolic link
- readlinkat
ecs: *ecs-file
- action: read-file
object_what: file
syscalls:
# read - read from a file descriptor
- read
ecs: *ecs-file
- action: wrote-to-file
object_what: file
syscalls:
# write - write to a file descriptor
- write
ecs:
<<: *ecs-file
type: change
- action: changed-file-attributes-of
object_what: file
syscalls:
# setxattr - set an extended attribute value
- setxattr
# fsetxattr - set an extended attribute value
- fsetxattr
# lsetxattr - set an extended attribute value
- lsetxattr
# removexattr - remove an extended attribute
- removexattr
# fremovexattr - remove an extended attribute
- fremovexattr
# lremovexattr - remove an extended attribute
- lremovexattr
ecs:
<<: *ecs-file
type: change
- action: changed-file-permissions-of
object_what: file
syscalls:
# chmod - change permissions of a file
- chmod
# fchmod - change permissions of a file
- fchmod
# fchmodat - change permissions of a file
- fchmodat
ecs:
<<: *ecs-file
type: change
- action: changed-file-ownership-of
object_what: file
syscalls:
# chown - change ownership of a file
- chown
# fchown - change ownership of a file
- fchown
# fchownat - change ownership of a file
- fchownat
# lchown - change ownership of a file
- lchown
ecs:
<<: *ecs-file
type: change
- action: loaded-kernel-module
object_what: file
object_primary: name
record_types:
- KERN_MODULE
syscalls:
# finit_module - load a kernel module
- finit_module
# init_module - load a kernel module
- init_module
ecs:
<<: *ecs-driver
type: start
- action: unloaded-kernel-module
object_what: file
syscalls:
# delete_module - unload a kernel module
- delete_module
ecs:
<<: *ecs-driver
type: end
- action: created-directory
object_what: file
object_path_index: 1
syscalls:
# mkdir - create a directory
- mkdir
# mkdirat - create a directory
- mkdirat
ecs:
<<: *ecs-file
type: creation
- action: mounted
object_what: filesystem
object_path_index: 1
syscalls:
# mount - mount filesystem
- mount
ecs:
<<: *ecs-file
# since a new mount appears on the system
# we consider this a high-level "creation" event
type: creation
- action: renamed
object_what: file
object_path_index: 2
syscalls:
# rename - change the name or location of a file
- rename
# renameat - change the name or location of a file
- renameat
# renameat2 - change the name or location of a file
- renameat2
ecs:
<<: *ecs-file
type: change
- action: checked-metadata-of
object_what: file
syscalls:
# access - check user's permissions for a file
- access
# faccessat - check user's permissions for a file
- faccessat
# fstatat - get file status
- fstatat
# newfstatat - get file status
- newfstatat
# stat - get file status
- stat
# stat64 - get file status
- stat64
# fstat - get file status
- fstat
# lstat - get file status
- lstat
# getxattr - retrieve an extended attribute value
- getxattr
# lgetxattr - retrieve an extended attribute value
- lgetxattr
# fgetxattr - retrieve an extended attribute value
- fgetxattr
ecs: *ecs-file
- action: checked-filesystem-metadata-of
object_what: filesystem
syscalls:
# statfs - get filesystem statistics
- statfs
# fstatfs - get filesystem statistics
- fstatfs
ecs: *ecs-file
- action: symlinked
object_what: file
syscalls:
# symlink - make a new name for a file
- symlink
# symlinkat - make a new name for a file
- symlinkat
ecs:
<<: *ecs-file
# "creation" since we're creating a new file system
# entry for the symlink
type: creation
- action: unmounted
object_what: filesystem
syscalls:
# umount - unmount filesystem
- umount
# umount2 - unmount filesystem
- umount2
ecs:
<<: *ecs-file
# "deletion" to mirror the "creation" of the mount
type: deletion
- action: deleted
object_what: file
syscalls:
# rmdir - delete a directory
- rmdir
# unlink - delete a name and possibly the file it refers to
- unlink
# unlinkat - delete a name and possibly the file it refers to
- unlinkat
ecs:
<<: *ecs-file
type: deletion
- action: changed-timestamp-of
object_what: file
syscalls:
# utime - change file last access and modification times
- utime
# utimes - change file last access and modification times
- utimes
# futimesat - change timestamps of a file relative to a \ directory file descriptor
- futimesat
# futimens - change file timestamps with nanosecond precision
- futimens
# utimensat - change file timestamps with nanosecond precision
- utimensat
ecs: *ecs-file
- action: executed
object_what: file
syscalls:
# execve - execute program
- execve
# execveat - execute program relative to a directory file descriptor
- execveat
ecs:
<<: *ecs-process
type: start
- action: listen-for-connections
object_what: socket
syscalls:
# listen- listen for connections on a socket
- listen
ecs:
<<: *ecs-network
type: start
- action: accepted-connection-from
object_what: socket
syscalls:
# accept - accept a connection on a socket
- accept
# accept4 - accept a connection on a socket
- accept4
ecs:
<<: *ecs-network
type:
- connection
- start
- action: bound-socket
object_what: socket
syscalls:
# bind -bind a name to a socket
- bind
ecs:
<<: *ecs-network
type: start
- action: connected-to
object_what: socket
syscalls:
- connect
ecs:
<<: *ecs-network
type:
- connection
- start
- action: received-from
object_what: socket
syscalls:
# recv - receive a message from a socket
- recv
# recvfrom - receive a message from a socket
- recvfrom
# recvmsg - receive a message from a socket
- recvmsg
# recvmmsg - receive multiple messages on a socket
- recvmmsg
ecs:
<<: *ecs-network
- action: sent-to
object_what: socket
syscalls:
# send - send a message on a socket
- send
# sendto - send a message on a socket
- sendto
# sendmsg - send a message on a socket
- sendmsg
# sendmmsg - send multiple messages on a socket
- sendmmsg
ecs:
<<: *ecs-network
- action: killed-pid
object_what: process
syscalls:
# kill - send signal to a process
- kill
# tkill - send a signal to a thread
- tkill
# tgkill - send a signal to a thread
- tgkill
ecs:
<<: *ecs-process
type: end
- action: changed-identity-of
object_what: process
how: syscall
syscalls:
# setuid - set user identity
- setuid
# seteuid - set effective user or group ID
- seteuid
# setfsuid - set user identity used for filesystem checks
- setfsuid
# setreuid - set real and/or effective user or group ID
- setreuid
# setgid - set group identity
- setgid
# setegid - set effective user or group ID
- setegid
# setfsgid - set group identity used for filesystem checks
- setfsgid
# setregid - set real and/or effective user or group ID
- setregid
# setresuid - set real, effective and saved user or group ID
- setresuid
# setresgid - set real, effective and saved user or group ID
- setresgid
ecs:
<<: *ecs-process
type: change
- action: changed-system-time
object_what: system
record_types:
- TIME_ADJNTPVAL
- TIME_INJOFFSET
syscalls:
# settimeofday - get / set time
- settimeofday
# clock_settime - clock and time functions
- clock_settime
# stime - set time
- stime
# adjtimex - tune kernel clock
- adjtimex
# clock_adjtime - similar to adjtimex but specifies a specific clock
- clock_adjtime
ecs:
<<: *ecs-host
type: change
- action: make-device
object_what: file
syscalls:
# mknod - create a special or ordinary file
- mknod
# mknodat - create a special or ordinary file
- mknodat
ecs:
<<: *ecs-file
type: creation
- action: changed-system-name
object_what: system
syscalls:
# sethostname - get/set hostname
- sethostname
# setdomainname - get/set NIS domain name
- setdomainname
ecs:
<<: *ecs-host
type: change
- action: allocated-memory
object_what: memory
syscalls:
# mmap - map or unmap files or devices into memory
- mmap
# mmap2 - map files or devices into memory
- mmap2
# brk - change data segment size
- brk
ecs: *ecs-process
- action: adjusted-scheduling-policy-of
object_what: process
how: syscall
syscalls:
# sched_setparam - set and get scheduling parameters
- sched_setparam
# sched_setscheduler - set and get scheduling policy/parameters
- sched_setscheduler
# sched_setattr - set and get scheduling policy and attributes
- sched_setattr
ecs:
<<: *ecs-process
type: change
- action: end
object_what: process
how: syscall
syscalls:
# exit_group - exit all threads in a process
- exit_group
ecs:
<<: *ecs-process
type: end
# Currently unhandled
# this list comes from parsing linux man pages at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git
# sigaction - examine and change a signal action
# rt_sigaction - examine and change a signal action
# pread - read from or write to a file descriptor at a given offset
# pwrite - read from or write to a file descriptor at a given offset
# s390_guarded_storage - operations with z/Architecture guarded storage facility
# sched_getattr - set and get scheduling policy and attributes
# getrusage - get resource usage
# flock - apply or remove an advisory lock on an open file
# pidfd_getfd - obtain a duplicate of another process's file descriptor
# clock_nanosleep - high-resolution sleep with specifiable clock
# getpagesize - get memory page size
# pidfd_open - obtain a file descriptor that refers to a process
# splice - splice data to/from a pipe
# getresuid - get real, effective and saved user/group IDs
# getresgid - get real, effective and saved user/group IDs
# remap_file_pages - create a nonlinear file mapping
# io_cancel - cancel an outstanding asynchronous I/O operation
# prctl - operations on a process or thread
# clock_getres - clock and time functions
# clock_gettime - clock and time functions
# getgroups - get/set list of supplementary group IDs
# setgroups - get/set list of supplementary group IDs
# vmsplice - splice user pages to/from a pipe
# epoll_create - open an epoll file descriptor
# epoll_create1 - open an epoll file descriptor
# posix_fadvise - predeclare an access pattern for file data
# sigwaitinfo - synchronously wait for queued signals
# sigtimedwait - synchronously wait for queued signals
# rt_sigtimedwait - synchronously wait for queued signals
# sigreturn - return from signal handler and cleanup stack frame
# rt_sigreturn - return from signal handler and cleanup stack frame
# getrandom - obtain a series of random bytes
# keyctl - manipulate the kernel's key management facility
# sched_getscheduler - set and get scheduling policy/parameters
# mbind - set memory policy for a memory range
# getpriority - get/set program scheduling priority
# setpriority - get/set program scheduling priority
# inotify_init - initialize an inotify instance
# inotify_init1 - initialize an inotify instance
# semctl - System V semaphore control operations
# gethostname - get/set hostname
# ptrace - process trace
# sysctl - read/write system parameters
# getpeername - get name of connected peer socket
# fork - create a child process
# query_module - query the kernel for various bits pertaining to modules
# ioctl_list - list of ioctl calls in Linux/i386 kernel
# msgget - get a System V message queue identifier
# spu_create - create a new spu context
# subpage_prot - define a subpage protection for an address range
# quotactl - manipulate disk quotas
# nfsservctl - syscall interface to kernel nfs daemon
# openat2 - open and possibly create a file (extended)
# getrlimit - get/set resource limits
# setrlimit - get/set resource limits
# prlimit - get/set resource limits
# tee - duplicating pipe content
# shmget - allocates a System V shared memory segment
# create_module - create a loadable module entry
# gettimeofday - get / set time
# timer_create - create a POSIX per-process timer
# fanotify_mark - add, remove, or modify an fanotify mark on a filesystem object
# pipe - create pipe
# pipe2 - create pipe
# intro - introduction to system calls
# lookup_dcookie - return a directory entry's path
# sysfs - get filesystem type information
# s390_runtime_instr - enable/disable s390 CPU run-time instrumentation
# setns - reassociate thread with a namespace
# set_mempolicy - set default NUMA memory policy for a thread and its children
# nice - change process priority
# io_setup - create an asynchronous I/O context
# mincore - determine whether pages are resident in memory
# ioctl_console - ioctls for console terminal and virtual consoles
# poll - wait for some event on a file descriptor
# ppoll - wait for some event on a file descriptor
# capget - set/get capabilities of thread(s)
# capset - set/get capabilities of thread(s)
# ioctl_tty - ioctls for terminals and serial lines
# iopl - change I/O privilege level
# io_getevents - read asynchronous I/O events from the completion queue
# process_vm_readv - transfer data between process address spaces
# process_vm_writev - transfer data between process address spaces
# pciconfig_read - pci device information handling
# pciconfig_write - pci device information handling
# pciconfig_iobase - pci device information handling
# sbrk - change data segment size
# set_tid_address - set pointer to thread ID
# pkey_alloc - allocate or free a protection key
# pkey_free - allocate or free a protection key
# select - synchronous I/O multiplexing
# pselect - synchronous I/O multiplexing
# kexec_load - load a new kernel for later execution
# kexec_file_load - load a new kernel for later execution
# personality - set the process execution domain
# ioctl_getfsmap - retrieve the physical layout of the filesystem
# inotify_rm_watch - remove an existing watch from an inotify instance
# perf_event_open - set up performance monitoring
# timer_getoverrun - get overrun count for a POSIX per-process timer
# wait3 - wait for process to change state, BSD style
# wait4 - wait for process to change state, BSD style
# link - make a new name for a file
# linkat - make a new name for a file
# sched_rr_get_interval - get the SCHED_RR interval for the named process
# munmap - map or unmap files or devices into memory
# socketcall - socket system calls
# mremap - remap a virtual memory address
# vfork - create a child process and block parent
# seccomp - operate on Secure Computing state of the process
# request_key - request a key from the kernel's key management facility
# syscall - indirect system call
# kcmp - compare two processes to determine if they share a kernel resource
# readdir - read directory entry
# ioperm - set port input/output permissions
# spu_run - execute an SPU context
# reboot - reboot or enable/disable Ctrl-Alt-Del
# readahead - initiate file readahead into page cache
# sched_getparam - set and get scheduling parameters
# acct - switch process accounting on or off
# sigsuspend - wait for a signal
# rt_sigsuspend - wait for a signal
# socket - create an endpoint for communication
# ioctl_userfaultfd - create a file descriptor for handling page faults in user space
# sched_get_priority_max - get static priority range
# sched_get_priority_min - get static priority range
# getdents - get directory entries
# getdents64 - get directory entries
# select - synchronous I/O multiplexing
# pselect - synchronous I/O multiplexing
# alloc_hugepages - allocate or free huge pages
# free_hugepages - allocate or free huge pages
# fsync - synchronize a file's in-core state with storage device
# fdatasync - synchronize a file's in-core state with storage device
# syscalls - Linux system calls
# memfd_create - create an anonymous file
# modify_ldt - get or set a per-process LDT entry
# get_kernel_syms - retrieve exported kernel and module symbols
# lseek - reposition read/write file offset
# shmat - System V shared memory operations
# shmdt - System V shared memory operations
# timer_delete - delete a POSIX per-process timer
# perfmonctl - interface to IA-64 performance monitoring unit
# move_pages - move individual pages of a process to another node
# chdir - change working directory
# fchdir - change working directory
# time - get time in seconds
# _exit - terminate the calling process
# _Exit - terminate the calling process
# s390_sthyi - emulate STHYI instruction
# io_submit - submit asynchronous I/O blocks for processing
# mlock - lock and unlock memory
# mlock2 - lock and unlock memory
# munlock - lock and unlock memory
# mlockall - lock and unlock memory
# munlockall - lock and unlock memory
# umask - set file mode creation mask
# arch_prctl - set architecture-specific thread state
# uselib - load shared library
# sendfile - transfer data between file descriptors
# shmctl - System V shared memory control
# epoll_wait - wait for an I/O event on an epoll file descriptor
# epoll_pwait - wait for an I/O event on an epoll file descriptor
# sigaltstack - set and/or get signal stack context
# ioctl - control device
# signalfd - create a file descriptor for accepting signals
# unshare - disassociate parts of the process execution context
# chroot - change root directory
# madvise - give advice about use of memory
# gettid - get thread identification
# getsockname - get socket name
# io_destroy - destroy an asynchronous I/O context
# setup - setup devices and filesystems, mount root filesystem
# ntp_adjtime - tune kernel clock
# semget - get a System V semaphore set identifier
# getuid - get user identity
# geteuid - get user identity
# _syscall - invoking a system call without library support (OBSOLETE)
# sched_setaffinity - \ set and get a thread's CPU affinity mask
# sched_getaffinity - \ set and get a thread's CPU affinity mask
# cacheflush - flush contents of instruction and/or data cache
# pivot_root - change the root mount
# msgctl - System V message control operations
# ioctl_fat - manipulating the FAT filesystem
# setpgid - set/get process group
# getpgid - set/get process group
# setpgrp - set/get process group
# getpgrp - set/get process group
# socketpair - create a pair of connected sockets
# bdflush - start, flush, or tune buffer-dirty-flush daemon
# alarm - set an alarm clock for delivery of a signal
# timer_settime - arm/disarm and fetch state of POSIX per-process timer
# timer_gettime - arm/disarm and fetch state of POSIX per-process timer
# add_key - add a key to the kernel's key management facility
# rt_sigqueueinfo - queue a signal and data
# rt_tgsigqueueinfo - queue a signal and data
# userfaultfd - create a file descriptor for handling page faults in user space
# semop - System V semaphore operations
# semtimedop - System V semaphore operations
# getgid - get group identity
# getegid - get group identity
# getpid - get process identification
# getppid - get process identification
# sigprocmask - examine and change blocked signals
# rt_sigprocmask - examine and change blocked signals
# uname - get name and information about current kernel
# statx - get file status (extended)
# ioctl_ficlonerange - share some the data of one file with another file
# ioctl_ficlone - share some the data of one file with another file
# mq_getsetattr - get/set message queue attributes
# ioprio_get - get/set I/O scheduling class and priority
# ioprio_set - get/set I/O scheduling class and priority
# epoll_ctl - control interface for an epoll file descriptor
# sync - commit filesystem caches to disk
# syncfs - commit filesystem caches to disk
# setsid - creates a session and sets the process group ID
# shutdown - shut down part of a full-duplex connection
# getsid - get session ID
# get_thread_area - manipulate thread-local storage information
# set_thread_area - manipulate thread-local storage information
# timerfd_create - timers that notify via file descriptors
# timerfd_settime - timers that notify via file descriptors
# timerfd_gettime - timers that notify via file descriptors
# ioctl_fideduperange - share some the data of one file with another file
# name_to_handle_at - obtain handle for a pathname and open file via a handle
# open_by_handle_at - obtain handle for a pathname and open file via a handle
# futex - fast user-space locking
# ioctl_ns - ioctl() operations for Linux namespaces
# pidfd_send_signal - send a signal to a process specified by a file descriptor
# clone - create a child process
# __clone2 - create a child process
# clone3 - create a child process
# times - get process times
# sysinfo - return system information
# ipc - System V IPC system calls
# eventfd - create a file descriptor for event notification
# wait - wait for process to change state
# waitpid - wait for process to change state
# waitid - wait for process to change state
# getdomainname - get/set NIS domain name
# idle - make process 0 idle
# inotify_add_watch - add a watch to an initialized inotify instance
# get_mempolicy - retrieve NUMA memory policy for a thread
# bpf - perform a command on an extended BPF map or program
# getsockopt - get and set options on sockets
# setsockopt - get and set options on sockets
# getitimer - get or set value of an interval timer
# setitimer - get or set value of an interval timer
# membarrier - issue memory barriers on a set of threads
# mprotect - set protection on a region of memory
# pkey_mprotect - set protection on a region of memory
# getcpu - determine CPU and NUMA node on which the calling thread is running
# ioctl_fslabel - get or set a filesystem label
# listxattr - list extended attribute names
# llistxattr - list extended attribute names
# flistxattr - list extended attribute names
# _llseek - reposition read/write file offset
# fcntl - manipulate file descriptor
# ustat - get filesystem statistics
# signal - ANSI C signal handling
# nanosleep - high-resolution sleep
# connect - initiate a connection on a socket
# vm86old - enter virtual 8086 mode
# vm86 - enter virtual 8086 mode
# fanotify_init - create and initialize fanotify group
# migrate_pages - move all pages in a process to another set of nodes
# restart_syscall - restart a system call after interruption by a stop signal
# close - close a file descriptor
# msgrcv - System V message queue operations
# msgsnd - System V message queue operations
# readv - read or write data into multiple buffers
# writev - read or write data into multiple buffers
# preadv - read or write data into multiple buffers
# pwritev - read or write data into multiple buffers
# preadv2 - read or write data into multiple buffers
# pwritev2 - read or write data into multiple buffers
# syslog - read and/or clear kernel message ring buffer; set console_loglevel
# klogctl - read and/or clear kernel message ring buffer; set console_loglevel
# sched_yield - yield the processor
# vhangup - virtually hangup the current terminal
# ioctl_iflags - ioctl() operations for inode flags
# sgetmask - manipulation of signal mask (obsolete)
# ssetmask - manipulation of signal mask (obsolete)
# sync_file_range - sync a file segment with disk
# copy_file_range - Copy a range of data from one file to another
# sigpending - examine pending signals
# rt_sigpending - examine pending signals
# getunwind - copy the unwind data to caller's buffer
# msync - synchronize a file with a memory map
# get_robust_list - get/set list of robust futexes
# set_robust_list - get/set list of robust futexes
# dup - duplicate a file descriptor
# dup2 - duplicate a file descriptor
# dup3 - duplicate a file descriptor
# s390_pci_mmio_write - transfer data to/from PCI MMIO memory page
# s390_pci_mmio_read - transfer data to/from PCI MMIO memory page
# pause - wait for signal
# swapon - start/stop swapping to file/device
# swapoff - start/stop swapping to file/device
# Record type normalizations
# Useful links:
# https://raw.githubusercontent.com/torvalds/linux/v4.16/include/uapi/linux/audit.h
# https://raw.githubusercontent.com/linux-audit/audit-userspace/4d933301b1835cafa08b9e9ef705c8fb6c96cb62/lib/libaudit.h
# https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html
# IAM related events
# AUDIT_ACCT_LOCK - User's account locked by admin
- record_types: ACCT_LOCK
action: locked-account
ecs:
<<: *ecs-iam
type:
- user
- info
# AUDIT_ACCT_UNLOCK - User's account unlocked by admin
- record_types: ACCT_UNLOCK
action: unlocked-account
ecs:
<<: *ecs-iam
type:
- user
- info
# AUDIT_ADD_GROUP - Group account added
- record_types: ADD_GROUP
action: added-group-account-to
object_primary: [id, acct]
object_what: account
ecs:
<<: [*ecs-iam, *ecs-group-modification-mappings]
type:
- group
- creation
# AUDIT_ADD_USER - User account added
- record_types: ADD_USER
action: added-user-account
object_primary: [id, acct]
object_what: account
ecs:
<<: [*ecs-iam, *ecs-user-modification-mappings]
type:
- user
- creation
# AUDIT_DEL_GROUP - Group account deleted
- record_types: DEL_GROUP
action: deleted-group-account-from
object_primary: [id, acct]
object_what: account
ecs:
<<: [*ecs-iam, *ecs-group-modification-mappings]
type:
- group
- deletion
# AUDIT_DEL_USER - User account deleted
- record_types: DEL_USER
action: deleted-user-account
object_primary: [id, acct]
object_what: account
ecs:
<<: [*ecs-iam, *ecs-user-modification-mappings]
type:
- user
- deletion
# AUDIT_GRP_MGMT - Group account attr was modified
- record_types: GRP_MGMT
action: modified-group-account
object_primary: [id, acct]
object_what: account
ecs:
<<: *ecs-iam
type:
- group
- change
mappings:
- from: subject.primary
to: user
- from: subject.secondary
to: group
- from: uid.uid
to: user.effective
# AUDIT_ROLE_ASSIGN - Admin assigned user to role
- record_types: ROLE_ASSIGN
action: assigned-user-role-to
object_primary: [id, acct]
object_what: account
ecs:
<<: *ecs-iam
type:
- user
- change
# AUDIT_ROLE_MODIFY - Admin modified a role
- record_types: ROLE_MODIFY
action: modified-role
ecs:
<<: *ecs-iam
type:
- change
# AUDIT_ROLE_REMOVE - Admin removed user from role
- record_types: ROLE_REMOVE
action: removed-user-role-from
object_primary: [id, acct]
object_what: account
ecs:
<<: *ecs-iam
type:
- user
- change
# AUDIT_USER_MGMT - User acct attribute change
- <<: *macro-user-session
record_types: USER_MGMT
action: modified-user-account
ecs:
<<: *ecs-iam
type:
- user
- change
mappings:
- from: subject.primary
to: user
- from: subject.secondary
to: user.target
- from: uid.uid
to: user.effective
# AUDIT_USER_CHAUTHTOK - User acct password or pin changed
- <<: *macro-user-session
record_types: USER_CHAUTHTOK
action: changed-password
ecs:
<<: *ecs-iam
type:
- user
- change
mappings:
- from: subject.primary
to: user
- from: uid.uid
to: user.effective
- from: subject.secondary
to: user.target
# AUDIT_GRP_CHAUTHTOK - Group acct password or pin changed
- <<: *macro-user-session
record_types: GRP_CHAUTHTOK
action: changed-group-password
object_primary: acct
object_what: user-session
ecs:
<<: *ecs-iam
type:
- group
- change
mappings:
- from: subject.primary
to: user
- from: uid.uid
to: user.effective
- from: subject.secondary
to: group
# Authentication related events
# AUDIT_CRED_ACQ - User credential acquired
- <<: *macro-user-session
record_types: CRED_ACQ
action: acquired-credentials
ecs: *ecs-auth
# AUDIT_CRED_DISP - User credential disposed
- <<: *macro-user-session
record_types: CRED_DISP
action: disposed-credentials
ecs: *ecs-auth
# AUDIT_CRED_REFR - User credential refreshed
- <<: *macro-user-session
record_types: CRED_REFR
action: refreshed-credentials
ecs: *ecs-auth
# AUDIT_GRP_AUTH - Authentication for group password
- record_types: GRP_AUTH
action: authenticated-to-group
ecs: *ecs-auth
# AUDIT_LOGIN - Define the login id and information
- record_types: LOGIN
action: changed-login-id-to
subject_primary: [old_auid, old-auid]
subject_secondary: uid
object_primary: [new-auid, new_auid, auid]
object_what: user-session
ecs:
<<: *ecs-auth
type: start
mappings:
- from: subject.primary