im_linuxaudit rules not working as expected (SUSE Tumbleweed)

View thread

ppum

Hello I've been trying to the use linuxaudit system to work but I'm stuck.

--- Nxlog-agent setup --- OS: SUSE Tumbleweed 20190512 Agent-Version: 4.4.4347 Module: im_linuxaudit

--- Configuration --- <Extension _json> Module xm_json </Extension>

<Extension audit_parser> Module xm_kvp KVPDelimiter ' ' KVDelimiter = EscapeChar '' </Extension>

<Input audit> Module im_linuxaudit FlowControl FALSE <Rules> -D -b 320 -w /etc/passwd -p wa -k etcpasswd -w /bin/cat -p wxa -k cat_exection -e 1 </Rules> <Exec> audit_parser->parse_kvp(); $Hostname = hostname(); $FQDN = hostname_fqdn(); $Tag = "audit"; $SourceName = "auditd_nxlog"; </Exec> </Input>

<Output tcp> Module om_tcp Host 192.168.4.58 Port 1337 Exec to_json(); to_syslog_bsd(); </Output>

<Route audit_to_tcp> Path audit => tcp </Route>


I've been trying to run the above mentioned audit config however whenever I'm doing /bin/cat/ /etc/passwd I don't get any kind of alerts on my receiver box. HOWEVER I will get logs when I change user (e.g. su otheruser). Additionally I was wondering if the log format 'ENRICHED' from the normal audit daemon is supported. https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment

Best regards Florian Reiter