im_linuxaudit rules not working as expected (SUSE Tumbleweed)
Hello I've been trying to the use linuxaudit system to work but I'm stuck.
--- Nxlog-agent setup --- OS: SUSE Tumbleweed 20190512 Agent-Version: 4.4.4347 Module: im_linuxaudit
--- Configuration --- <Extension _json> Module xm_json </Extension>
<Extension audit_parser> Module xm_kvp KVPDelimiter ' ' KVDelimiter = EscapeChar '' </Extension>
<Input audit> Module im_linuxaudit FlowControl FALSE <Rules> -D -b 320 -w /etc/passwd -p wa -k etcpasswd -w /bin/cat -p wxa -k cat_exection -e 1 </Rules> <Exec> audit_parser->parse_kvp(); $Hostname = hostname(); $FQDN = hostname_fqdn(); $Tag = "audit"; $SourceName = "auditd_nxlog"; </Exec> </Input>
<Output tcp> Module om_tcp Host Port 1337 Exec to_json(); to_syslog_bsd(); </Output>
<Route audit_to_tcp> Path audit => tcp </Route>
I've been trying to run the above mentioned audit config however whenever I'm doing /bin/cat/ /etc/passwd I don't get any kind of alerts on my receiver box. HOWEVER I will get logs when I change user (e.g. su otheruser). Additionally I was wondering if the log format 'ENRICHED' from the normal audit daemon is supported.
Best regards Florian Reiter
Hi Florian,
Could you please test by modifying the rules section as follows?
-b 320
-w /etc/passwd -p wa -k etcpasswd
-w /usr/bin/cat -p wxa -k cat_exection
-e 1