5
responses

Hello I've been trying to the use linuxaudit system to work but I'm stuck.

--- Nxlog-agent setup ---
OS: SUSE Tumbleweed 20190512
Agent-Version: 4.4.4347
Module: im_linuxaudit

--- Configuration ---
<Extension _json>
Module xm_json
</Extension>

<Extension audit_parser>
Module xm_kvp
KVPDelimiter ' '
KVDelimiter =
EscapeChar '\'
</Extension>

<Input audit>
Module im_linuxaudit
FlowControl FALSE
<Rules>
-D
-b 320
-w /etc/passwd -p wa -k etcpasswd
-w /bin/cat -p wxa -k cat_exection
-e 1
</Rules>
<Exec>
audit_parser->parse_kvp();
$Hostname = hostname();
$FQDN = hostname_fqdn();
$Tag = "audit";
$SourceName = "auditd_nxlog";
</Exec>
</Input>

<Output tcp>
Module om_tcp
Host 192.168.4.58
Port 1337
Exec to_json(); to_syslog_bsd();
</Output>

<Route audit_to_tcp>
Path audit => tcp
</Route>

---
I've been trying to run the above mentioned audit config however whenever I'm doing /bin/cat/ /etc/passwd I don't get any kind of alerts on my receiver box. HOWEVER I will get logs when I change user (e.g. su otheruser).
Additionally I was wondering if the log format 'ENRICHED' from the normal audit daemon is supported.
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment

Best regards
Florian Reiter

AskedJune 14, 2019 - 8:40am

Comments (5)

  • gahorvath's picture
    (NXLog)

    Hi Florian,

    Could you please test by modifying the rules section as follows?

        <Rules>
                -D
                -b 320
                -w /etc/passwd -p wa -k etcpasswd
                -w /usr/bin/cat -p wxa -k cat_exection
                -e 1
        </Rules>
    

    Thanks!

    Gabor

  • ppum's picture

    Hi Gabor,

    Thanks for the input, it seems like the audit module doesn't checks execution via links but only direct calls, which is probably a good thing anyways! Also I didn't realize that cat-ing a file doesn't trigger the access file rule, but neither does the normal audit daemon.

    Since that resolved my issue and the rules are working as expected, I will update my ruleset with additional rules and probably open a new question about that in a couple of days!

    Thank you!

    Florian

    Also for the reference: It may happened that you get the error that another auditd daemon is still running while restarting nxlog. This can happen if the normal auditd didn't shut down correctly/completly. Restarting auditd and shutting it down again resolved the issue.

    2019-06-24 06:48:43 ERROR Another audit log collector process (auditd?) is already running with pid 17230, module 'audit' will not start

  • gahorvath's picture
    (NXLog)

    As for the 'ENRICHED' logs:

    we support 3 different methods for collecting Linux audit logs. The method you chose (im_linuxaudit) uses direct access, bypassing auditd and other user space components.

    For im_linuxaudit, we already have a freature request logged, that aims to do the same resolution as described in https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment

    For reading the auditd log and receiving from audispd we would have to investigate, when the ENRICHED format becomes available. It should not be a problem to support the new format. I suppose they will keep the usual key-value pair formatting.

    You can see the relevant documentation section here: https://nxlog.co/documentation/nxlog-user-guide/linux-audit.html#linuxaudit_auditd

  • ppum's picture

    Thank you again for the clear answer on the question. This raises my next question: Do you have any idea if and when the im_linuxaudit feature request might get implemented?

    So far I see a bit of a tradeoff when choosing either approach in: Remote-management of rules VS Quality of collected logs.

    Thank you anyways, Florian

Answers (0)