go-libaudit icon indicating copy to clipboard operation
go-libaudit copied to clipboard

Published 20 hours ago verified publisher icon elastic

auparse -i doens't create multiple netfilter_cfg events as a list

Open knibbl opened this issue 3 years ago • 1 comments

By testing the auparse command I saw that it doesn't summarize the values correctly or as expected. I wanted to know if this is done by purpose or if this needs additional effort for the interpreter.

Here the example log:

type=NETFILTER_CFG msg=audit(1593786232.477:31): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1593786232.477:31): table=filter family=10 entries=0
type=SYSCALL msg=audit(1593786232.477:31): arch=c000003e syscall=272 success=yes exit=0 a0=40000000 a1=7fffd2436fb0 a2=40000040 a3=22 items=0 ppid=1 pid=769 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ostnamed)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1593786232.477:31): proctitle="(ostnamed)"

Here the command auparse -i -format yaml

And the result

timestamp: 2020-07-03T14:23:52.477Z
sequence: 31
category: configuration
record_type: netfilter_cfg
result: success
session: unset
summary:
  actor:
    primary: unset
    secondary: root
  action: loaded-firewall-rule-to
  object:
    type: firewall
    primary: filter
  how: /usr/lib/systemd/systemd
user:
  ids:
    auid: unset
    egid: "0"
    euid: "0"
    fsgid: "0"
    fsuid: "0"
    gid: "0"
    sgid: "0"
    suid: "0"
    uid: "0"
  names:
    egid: root
    euid: root
    fsgid: root
    fsuid: root
    gid: root
    sgid: root
    suid: root
    uid: root
  selinux:
    domain: init_t
    level: s0
    role: system_r
    user: system_u
process:
  pid: "769"
  ppid: "1"
  title: (ostnamed)
  name: (ostnamed)
  exe: /usr/lib/systemd/systemd
data:
  a0: "40000000"
  a1: 7fffd2436fb0
  a2: "40000040"
  a3: "22"
  arch: x86_64
  entries: "0"
  exit: "0"
  family: "2"
  syscall: unshare
  table: filter
  tty: (none)
ecs:
  event:
    category:
    - process
    type:
    - info

As you can see in the output for the section data, there is no second entry for the second event with "family 10". Shouldn't that be part of the output, similar to your example with the list entries for type: PATH? Thank you and regards.

knibbl avatar Jul 08 '20 09:07 knibbl

I don't think there is any special handling for netfilter_cfg messages. IIRC it merges the fields into data so it's probably not overwriting the fields that already exist when the second message is added. In order to handle multiple netfilter_cfg messages in the same event there would need to be some special handling for that type in the code (like there is for paths).

andrewkroh avatar Jul 13 '20 02:07 andrewkroh