Comments (3)
drewr
commented on June 18, 2024
2
👋 @v1v @andrewkroh!! I work with @stephen-fox. Think you could give this a quick look and see what may be involved here? We could maybe contribute a fix for it. Thanks!
from go-libaudit.
andrewkroh
commented on June 18, 2024
1
Hi @drewr 😄 , it looks like the assumption that a type=SYSCALL message is always present when there is more than one message with the same sequence number may be wrong. This assumption looks particularly wrong with respect to failure case 1 where you have multiple AVC messages which will not be tied in with a particular syscall.
For failure cases 2 and 3, what auditd rules were used to generate those groups of messages? If you were auditing execve then I would have expected one type=SYSCALL along with the others. It is possible to have a filter applied that could have discarded that SYSCALL message, but I would say to not do that.
I think it should possible to relax the requirement on having a type=SYSCALL when there is more than one message and still have today's test cases pass.
One other problem I see is with failure case 1. Normally the key/value pairs are dumped into the data map, but with three of the same message types there will be key collisions. So perhaps special handling will be required for AVC message (like we have for type=PATH). The same issue popped up for type=NETFILTER_CFG in #71 and it has not been addressed.
from go-libaudit.
stephen-fox
commented on June 18, 2024
Hi @andrewkroh! Thank you for the explanation. All three examples came from a single computer that has the following /etc/audit/audit.rules:
## This file is automatically generated from /etc/audit/rules.d
-D
-b 32768
-f 1
--backlog_wait_time 60000
--loginuid-immutable
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/passwd -F perm=wa -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid=500 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid=500 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid=500 -F auid!=unset -F key=group-modify
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid=500 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid=500 -F auid!=unset -F key=access-audit-trail
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid=500 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid=500 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid=500 -F auid!=unset -F key=session
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid=500 -F auid!=unset -F key=MAC-policy
-a always,exit -F path=/bin/crictl -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/bin/crictl -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/bin/docker -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/bin/docker -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/argocd -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/argocd -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/crictl -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/crictl -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/kubeadm -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/kubeadm -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/kubectl -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/kubectl -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/kubectl -F perm=x -F auid=0 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/nerdctl -F perm=x -F auid>=1000 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/nerdctl -F perm=x -F auid=500 -F auid!=unset -F key=container-management
-a always,exit -F path=/opt/bin/nerdctl -F perm=x -F auid=0 -F auid!=unset -F key=container-management
-r 60
-a exit,always -F arch=b64 -S execve -F key=auditcmd -F auid=500
-a exit,always -F arch=b32 -S execve -F key=auditcmd -F auid=500
-e 1
from go-libaudit.
Related Issues (20)
- aucoalesce: Make warning capturing configurable
- Stuck when receiving socket using Receive() function HOT 1
- rule - File paths with spaces fail in rules HOT 2
- Support of < 3.0 kernel HOT 1
- failed to set audit PID: file exists HOT 3
- auditbeat ERROR: get status request failed:failed to get audit status reply: no reply received HOT 3
- [BUG] auditd_manager file.mode does not capture the correct file mode HOT 2
- Replace deprecated `set-output` command with environment file
- [rule] Add support for saddr_fam filters
- I have a question: Why does the this "rawEvent, err := client.Receive(false)", I call only get the audit information once and will not get it again, but I see that the audit log has continuous output
- Stop using event.type as `stop`
- auparse -i doens't create multiple netfilter_cfg events as a list HOT 1
- Case sensitivity issue w/ github.com/Sirupsen/logrus import
- use ECS recommended values for network direction
- Update allowed fields with "exclude" flag HOT 2
- Run test on host: operation not permitted HOT 1
- Help aucoalesce.Event -> source fields is nil. HOT 1
- Add support for AUDIT_TIME_ADJNTPVAL HOT 2
- Remove usage of github.com/pkg/errors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-libaudit.