-
Notifications
You must be signed in to change notification settings - Fork 0
- Make sure your kernel has
options AUDIT. - Run
praudit /dev/auditpipe.
Resources:
- auditpipe(4)
The token type indentifiers are defined in /sys/bsd/bsm/audit_record.h.
It is recommended to use libbsm(3).
Let's try to learn how the audit_events file is generated and how to add new
events.
-
audit_eventscan be found incontrib/openbsm/etc. -
According to the comments inside
audit_eventsI should modifyaudit_event,audit_kevents.handaudit_uevents.hand recompile the kernel.
The paths are:
contrib/openbsm/etc/audit_events
contrib/openbsm/bsm/audit_uevents.h
contrib/openbsm/bsm/audit_kevents.h
-
contrib/openbsm/etc/has sample configuration files. Nothing special. (Source:contrib/openbsm/README) -
FreeBSD seems to ignore the
audit_uevents.hfile since I cannot find it in thesys/bsmdirectory. Actually, it doesn't seem to be an important file to FreeBSD anyway.
A BSM audit record is made of tokens. The record starts with a header token and ends with a trailer token.
The Linux Audit audit fields can be stored in the arbitrary data token.
(Source)
Let's try to break down the audit trail of the cat /etc/ssh/sshd_config
command.
The trail of that command might look like this:
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"
type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman"
type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
| Linux Audit field | mapped to | notes |
|---|---|---|
type=SYSCALL |
Every type should be mapped to a token. |
|
msg=audit(1364481363.243:24287) |
The ID might be mapped to the seq token and the time stamp can stored in the header token. | |
arch=c000003e |
Create a new event to save this information. | |
syscall=2 |
Consult the Linux Syscall Table. | |
success=no |
||
exit=-13 |
||
a0=7fffd19c5592 |
||
a1=0 |
||
a2=7fffd19c4b50 |
||
a3=a |
||
items=1 |
||
ppid=2686 |
||
pid=3538 |
||
auid=500 |
||
uid=500 |
||
gid=500 |
||
euid=500 |
||
suid=500 |
||
fsuid=500 |
||
egid=500 |
||
sgid=500 |
||
fsgid=500 |
||
tty=pts0 |
||
ses=1 |
||
comm="cat" |
||
exe="/bin/cat" |
||
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 |
||
key="sshd_config" |
| Linux Audit field | mapped to | notes |
|---|---|---|
type=CWD |
||
msg=audit(1364481363.243:24287) |
||
cwd="/home/shadowman" |
| Linux Audit field | mapped to | notes |
|---|---|---|
type=PATH |
||
msg=audit(1364481363.243:24287) |
||
item=0 |
||
name="/etc/ssh/sshd_config" |
||
inode=409248 |
||
dev=fd:00 |
||
mode=0100600 |
||
ouid=0 |
||
ogid=0 |
||
rdev=00:00 |
||
obj=system_u:object_r:etc_t:s0 |
The format of the events in the /etc/security/audit_event is
number:name:description:flags.
An audit file is made of audit events.
An audit event is made of records.
A record starts with the type= keyword.
The records of an event share the same time stamp and serial number.
An audit file is made of records. A record is made of tokens.
- Useful tutorial: https://blog.jasonish.org/2006/08/19/tailq-example/