├── .gitignore ├── .gitmodules ├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── audit.rules ├── audit_decoder.lua ├── heka.toml ├── main.go └── tools ├── audit.rules.json ├── audit2.rules └── rules2json.py /.gitignore: -------------------------------------------------------------------------------- 1 | #backup Files 2 | *~ 3 | 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "libaudit-go"] 2 | path = libaudit-go 3 | url = git@github.com:mozilla/libaudit-go.git 4 | branch = master 5 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Community Participation Guidelines 2 | 3 | This repository is governed by Mozilla's code of conduct and etiquette guidelines. 4 | For more details, please read the 5 | [Mozilla Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/). 6 | 7 | ## How to Report 8 | For more information on how to report violations of the Community Participation Guidelines, please read our '[How to Report](https://www.mozilla.org/about/governance/policies/participation/reporting/)' page. 9 | 10 | 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License, version 2.0 2 | 3 | 1. Definitions 4 | 5 | 1.1. "Contributor" 6 | 7 | means each individual or legal entity that creates, contributes to the 8 | creation of, or owns Covered Software. 9 | 10 | 1.2. "Contributor Version" 11 | 12 | means the combination of the Contributions of others (if any) used by a 13 | Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | 17 | means Covered Software of a particular Contributor. 18 | 19 | 1.4. "Covered Software" 20 | 21 | means Source Code Form to which the initial Contributor has attached the 22 | notice in Exhibit A, the Executable Form of such Source Code Form, and 23 | Modifications of such Source Code Form, in each case including portions 24 | thereof. 25 | 26 | 1.5. "Incompatible With Secondary Licenses" 27 | means 28 | 29 | a. that the initial Contributor has attached the notice described in 30 | Exhibit B to the Covered Software; or 31 | 32 | b. that the Covered Software was made available under the terms of 33 | version 1.1 or earlier of the License, but not also under the terms of 34 | a Secondary License. 35 | 36 | 1.6. "Executable Form" 37 | 38 | means any form of the work other than Source Code Form. 39 | 40 | 1.7. "Larger Work" 41 | 42 | means a work that combines Covered Software with other material, in a 43 | separate file or files, that is not Covered Software. 44 | 45 | 1.8. "License" 46 | 47 | means this document. 48 | 49 | 1.9. "Licensable" 50 | 51 | means having the right to grant, to the maximum extent possible, whether 52 | at the time of the initial grant or subsequently, any and all of the 53 | rights conveyed by this License. 54 | 55 | 1.10. "Modifications" 56 | 57 | means any of the following: 58 | 59 | a. any file in Source Code Form that results from an addition to, 60 | deletion from, or modification of the contents of Covered Software; or 61 | 62 | b. any new file in Source Code Form that contains any Covered Software. 63 | 64 | 1.11. "Patent Claims" of a Contributor 65 | 66 | means any patent claim(s), including without limitation, method, 67 | process, and apparatus claims, in any patent Licensable by such 68 | Contributor that would be infringed, but for the grant of the License, 69 | by the making, using, selling, offering for sale, having made, import, 70 | or transfer of either its Contributions or its Contributor Version. 71 | 72 | 1.12. "Secondary License" 73 | 74 | means either the GNU General Public License, Version 2.0, the GNU Lesser 75 | General Public License, Version 2.1, the GNU Affero General Public 76 | License, Version 3.0, or any later versions of those licenses. 77 | 78 | 1.13. "Source Code Form" 79 | 80 | means the form of the work preferred for making modifications. 81 | 82 | 1.14. "You" (or "Your") 83 | 84 | means an individual or a legal entity exercising rights under this 85 | License. For legal entities, "You" includes any entity that controls, is 86 | controlled by, or is under common control with You. For purposes of this 87 | definition, "control" means (a) the power, direct or indirect, to cause 88 | the direction or management of such entity, whether by contract or 89 | otherwise, or (b) ownership of more than fifty percent (50%) of the 90 | outstanding shares or beneficial ownership of such entity. 91 | 92 | 93 | 2. License Grants and Conditions 94 | 95 | 2.1. Grants 96 | 97 | Each Contributor hereby grants You a world-wide, royalty-free, 98 | non-exclusive license: 99 | 100 | a. under intellectual property rights (other than patent or trademark) 101 | Licensable by such Contributor to use, reproduce, make available, 102 | modify, display, perform, distribute, and otherwise exploit its 103 | Contributions, either on an unmodified basis, with Modifications, or 104 | as part of a Larger Work; and 105 | 106 | b. under Patent Claims of such Contributor to make, use, sell, offer for 107 | sale, have made, import, and otherwise transfer either its 108 | Contributions or its Contributor Version. 109 | 110 | 2.2. Effective Date 111 | 112 | The licenses granted in Section 2.1 with respect to any Contribution 113 | become effective for each Contribution on the date the Contributor first 114 | distributes such Contribution. 115 | 116 | 2.3. Limitations on Grant Scope 117 | 118 | The licenses granted in this Section 2 are the only rights granted under 119 | this License. No additional rights or licenses will be implied from the 120 | distribution or licensing of Covered Software under this License. 121 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 122 | Contributor: 123 | 124 | a. for any code that a Contributor has removed from Covered Software; or 125 | 126 | b. for infringements caused by: (i) Your and any other third party's 127 | modifications of Covered Software, or (ii) the combination of its 128 | Contributions with other software (except as part of its Contributor 129 | Version); or 130 | 131 | c. under Patent Claims infringed by Covered Software in the absence of 132 | its Contributions. 133 | 134 | This License does not grant any rights in the trademarks, service marks, 135 | or logos of any Contributor (except as may be necessary to comply with 136 | the notice requirements in Section 3.4). 137 | 138 | 2.4. Subsequent Licenses 139 | 140 | No Contributor makes additional grants as a result of Your choice to 141 | distribute the Covered Software under a subsequent version of this 142 | License (see Section 10.2) or under the terms of a Secondary License (if 143 | permitted under the terms of Section 3.3). 144 | 145 | 2.5. Representation 146 | 147 | Each Contributor represents that the Contributor believes its 148 | Contributions are its original creation(s) or it has sufficient rights to 149 | grant the rights to its Contributions conveyed by this License. 150 | 151 | 2.6. Fair Use 152 | 153 | This License is not intended to limit any rights You have under 154 | applicable copyright doctrines of fair use, fair dealing, or other 155 | equivalents. 156 | 157 | 2.7. Conditions 158 | 159 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in 160 | Section 2.1. 161 | 162 | 163 | 3. Responsibilities 164 | 165 | 3.1. Distribution of Source Form 166 | 167 | All distribution of Covered Software in Source Code Form, including any 168 | Modifications that You create or to which You contribute, must be under 169 | the terms of this License. You must inform recipients that the Source 170 | Code Form of the Covered Software is governed by the terms of this 171 | License, and how they can obtain a copy of this License. You may not 172 | attempt to alter or restrict the recipients' rights in the Source Code 173 | Form. 174 | 175 | 3.2. Distribution of Executable Form 176 | 177 | If You distribute Covered Software in Executable Form then: 178 | 179 | a. such Covered Software must also be made available in Source Code Form, 180 | as described in Section 3.1, and You must inform recipients of the 181 | Executable Form how they can obtain a copy of such Source Code Form by 182 | reasonable means in a timely manner, at a charge no more than the cost 183 | of distribution to the recipient; and 184 | 185 | b. You may distribute such Executable Form under the terms of this 186 | License, or sublicense it under different terms, provided that the 187 | license for the Executable Form does not attempt to limit or alter the 188 | recipients' rights in the Source Code Form under this License. 189 | 190 | 3.3. Distribution of a Larger Work 191 | 192 | You may create and distribute a Larger Work under terms of Your choice, 193 | provided that You also comply with the requirements of this License for 194 | the Covered Software. If the Larger Work is a combination of Covered 195 | Software with a work governed by one or more Secondary Licenses, and the 196 | Covered Software is not Incompatible With Secondary Licenses, this 197 | License permits You to additionally distribute such Covered Software 198 | under the terms of such Secondary License(s), so that the recipient of 199 | the Larger Work may, at their option, further distribute the Covered 200 | Software under the terms of either this License or such Secondary 201 | License(s). 202 | 203 | 3.4. Notices 204 | 205 | You may not remove or alter the substance of any license notices 206 | (including copyright notices, patent notices, disclaimers of warranty, or 207 | limitations of liability) contained within the Source Code Form of the 208 | Covered Software, except that You may alter any license notices to the 209 | extent required to remedy known factual inaccuracies. 210 | 211 | 3.5. Application of Additional Terms 212 | 213 | You may choose to offer, and to charge a fee for, warranty, support, 214 | indemnity or liability obligations to one or more recipients of Covered 215 | Software. However, You may do so only on Your own behalf, and not on 216 | behalf of any Contributor. You must make it absolutely clear that any 217 | such warranty, support, indemnity, or liability obligation is offered by 218 | You alone, and You hereby agree to indemnify every Contributor for any 219 | liability incurred by such Contributor as a result of warranty, support, 220 | indemnity or liability terms You offer. You may include additional 221 | disclaimers of warranty and limitations of liability specific to any 222 | jurisdiction. 223 | 224 | 4. Inability to Comply Due to Statute or Regulation 225 | 226 | If it is impossible for You to comply with any of the terms of this License 227 | with respect to some or all of the Covered Software due to statute, 228 | judicial order, or regulation then You must: (a) comply with the terms of 229 | this License to the maximum extent possible; and (b) describe the 230 | limitations and the code they affect. Such description must be placed in a 231 | text file included with all distributions of the Covered Software under 232 | this License. Except to the extent prohibited by statute or regulation, 233 | such description must be sufficiently detailed for a recipient of ordinary 234 | skill to be able to understand it. 235 | 236 | 5. Termination 237 | 238 | 5.1. The rights granted under this License will terminate automatically if You 239 | fail to comply with any of its terms. However, if You become compliant, 240 | then the rights granted under this License from a particular Contributor 241 | are reinstated (a) provisionally, unless and until such Contributor 242 | explicitly and finally terminates Your grants, and (b) on an ongoing 243 | basis, if such Contributor fails to notify You of the non-compliance by 244 | some reasonable means prior to 60 days after You have come back into 245 | compliance. Moreover, Your grants from a particular Contributor are 246 | reinstated on an ongoing basis if such Contributor notifies You of the 247 | non-compliance by some reasonable means, this is the first time You have 248 | received notice of non-compliance with this License from such 249 | Contributor, and You become compliant prior to 30 days after Your receipt 250 | of the notice. 251 | 252 | 5.2. If You initiate litigation against any entity by asserting a patent 253 | infringement claim (excluding declaratory judgment actions, 254 | counter-claims, and cross-claims) alleging that a Contributor Version 255 | directly or indirectly infringes any patent, then the rights granted to 256 | You by any and all Contributors for the Covered Software under Section 257 | 2.1 of this License shall terminate. 258 | 259 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user 260 | license agreements (excluding distributors and resellers) which have been 261 | validly granted by You or Your distributors under this License prior to 262 | termination shall survive termination. 263 | 264 | 6. Disclaimer of Warranty 265 | 266 | Covered Software is provided under this License on an "as is" basis, 267 | without warranty of any kind, either expressed, implied, or statutory, 268 | including, without limitation, warranties that the Covered Software is free 269 | of defects, merchantable, fit for a particular purpose or non-infringing. 270 | The entire risk as to the quality and performance of the Covered Software 271 | is with You. Should any Covered Software prove defective in any respect, 272 | You (not any Contributor) assume the cost of any necessary servicing, 273 | repair, or correction. This disclaimer of warranty constitutes an essential 274 | part of this License. No use of any Covered Software is authorized under 275 | this License except under this disclaimer. 276 | 277 | 7. Limitation of Liability 278 | 279 | Under no circumstances and under no legal theory, whether tort (including 280 | negligence), contract, or otherwise, shall any Contributor, or anyone who 281 | distributes Covered Software as permitted above, be liable to You for any 282 | direct, indirect, special, incidental, or consequential damages of any 283 | character including, without limitation, damages for lost profits, loss of 284 | goodwill, work stoppage, computer failure or malfunction, or any and all 285 | other commercial damages or losses, even if such party shall have been 286 | informed of the possibility of such damages. This limitation of liability 287 | shall not apply to liability for death or personal injury resulting from 288 | such party's negligence to the extent applicable law prohibits such 289 | limitation. Some jurisdictions do not allow the exclusion or limitation of 290 | incidental or consequential damages, so this exclusion and limitation may 291 | not apply to You. 292 | 293 | 8. Litigation 294 | 295 | Any litigation relating to this License may be brought only in the courts 296 | of a jurisdiction where the defendant maintains its principal place of 297 | business and such litigation shall be governed by laws of that 298 | jurisdiction, without reference to its conflict-of-law provisions. Nothing 299 | in this Section shall prevent a party's ability to bring cross-claims or 300 | counter-claims. 301 | 302 | 9. Miscellaneous 303 | 304 | This License represents the complete agreement concerning the subject 305 | matter hereof. If any provision of this License is held to be 306 | unenforceable, such provision shall be reformed only to the extent 307 | necessary to make it enforceable. Any law or regulation which provides that 308 | the language of a contract shall be construed against the drafter shall not 309 | be used to construe this License against a Contributor. 310 | 311 | 312 | 10. Versions of the License 313 | 314 | 10.1. New Versions 315 | 316 | Mozilla Foundation is the license steward. Except as provided in Section 317 | 10.3, no one other than the license steward has the right to modify or 318 | publish new versions of this License. Each version will be given a 319 | distinguishing version number. 320 | 321 | 10.2. Effect of New Versions 322 | 323 | You may distribute the Covered Software under the terms of the version 324 | of the License under which You originally received the Covered Software, 325 | or under the terms of any subsequent version published by the license 326 | steward. 327 | 328 | 10.3. Modified Versions 329 | 330 | If you create software not governed by this License, and you want to 331 | create a new license for such software, you may create and use a 332 | modified version of this License if you rename the license and remove 333 | any references to the name of the license steward (except to note that 334 | such modified license differs from this License). 335 | 336 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 337 | Licenses If You choose to distribute Source Code Form that is 338 | Incompatible With Secondary Licenses under the terms of this version of 339 | the License, the notice described in Exhibit B of this License must be 340 | attached. 341 | 342 | Exhibit A - Source Code Form License Notice 343 | 344 | This Source Code Form is subject to the 345 | terms of the Mozilla Public License, v. 346 | 2.0. If a copy of the MPL was not 347 | distributed with this file, You can 348 | obtain one at 349 | http://mozilla.org/MPL/2.0/. 350 | 351 | If it is not possible or desirable to put the notice in a particular file, 352 | then You may include the notice in a location (such as a LICENSE file in a 353 | relevant directory) where a recipient would be likely to look for such a 354 | notice. 355 | 356 | You may add additional accurate notices of copyright ownership. 357 | 358 | Exhibit B - "Incompatible With Secondary Licenses" Notice 359 | 360 | This Source Code Form is "Incompatible 361 | With Secondary Licenses", as defined by 362 | the Mozilla Public License, v. 2.0. 363 | 364 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #Linux Audit Heka Plugin (GO) 2 | 3 | 4 | ### Note: 5 | 6 | The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by [libaudit-go](https://github.com/mozilla/libaudit-go) (in current development) and the client (audit-go) which provides an example to leverage libaudit-go. 7 | 8 | ----------------------- 9 | 10 | This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka. 11 | 12 | Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in `/tmp/log`. 13 | 14 | Currently the Heka plugin is provided externally. Heka reads input using [Logstreamer](http://hekad.readthedocs.org/en/v0.10.0/config/inputs/logstreamer.html) from the file saved by `audit-go` and uses a custom lua decoder ([SandBoxed](http://hekad.readthedocs.org/en/v0.10.0/config/decoders/sandbox.html) decoder in Heka) defined in `audit_decoder.lua` which parses the audit messages and convert them to Heka Messages. 15 | 16 | The messages are then converted to JSON format using [ESJsonEncoder](http://hekad.readthedocs.org/en/v0.10.0/config/encoders/esjson.html) of Heka. 17 | 18 | To run with heka: 19 | 20 | * Move the decoder to decoders directory of Heka. 21 | 22 | `cp audit_decoder.lua /usr/share/heka/lua_decoders/` 23 | 24 | * Run heka with the config file `heka.toml`. 25 | 26 | `hekad -config=heka.toml` 27 | 28 | * You can change the config settings as per your convenience and enable additional outputs in Heka. For example, to feed the JSON messages to an Elasticsearch server, uncomment lines 68-73 in `heka.toml` (assuming the ES server is running on `localhost:9200`). 29 | 30 | Goals: 31 | 32 | * To reduce complexity while integrating with log aggregation, visualization tools (eg. Kibana) and security tools (eg. MozDef). 33 | * Easier configuration and rule management. 34 | 35 | ###[Project Wiki](https://wiki.mozilla.org/Security/Mentorships/MWoS/2014/Linux_Audit_heka_plugin_%28Go%29) 36 | 37 | Feedback 38 | ----------------- 39 | Open an issue [https://github.com/mozilla/audit-go/issues](https://github.com/mozilla/audit-go/issues) to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors. 40 | 41 | -------------------------------------------------------------------------------- /audit.rules: -------------------------------------------------------------------------------- 1 | audit.rules: 2 | # This file contains the auditctl rules that are loaded 3 | # whenever the audit daemon is started via the initscripts. 4 | # The rules are simply the parameters that would be passed 5 | # to auditctl. 6 | 7 | # First rule - delete all previous rules. 8 | -D 9 | 10 | ## Enable the kernel audit subsystem. 11 | # 1 means the configuration can be modified. 12 | # 2 means immutable until reboot (only set 2 at the *end* of the rule file - else you'll shoot yourself in the foot) 13 | -e 1 14 | 15 | # Increase the acching buffers to survive spikes, without dropping events. 16 | # You can make this bigger for busy systems. 17 | # Value is x times an audit record size in kernel memory. 18 | # Large value may use quite a few megs of kernel memory. 19 | -b 16348 20 | 21 | # Ignore errors (if file path doesn't exists, for example, don't stop processing rules). 22 | -i 23 | 24 | # Rate limit audit at the kernel level (msg/s) 25 | -r 500 26 | 27 | ## Generic logging 28 | # Bypass regular calls 29 | #-a always,exit -F arch=b64 -S personality -k bypass 30 | #-a always,exit -F arch=b32 -S personality -k bypass 31 | 32 | 33 | ## Exec logging 34 | # We're first excluding quite a few binaries from exec logging. 35 | # These are called often and do not provide significant value. 36 | -A exit,never -F path=/bin/ls -F perm=x 37 | -A exit,never -F path=/bin/sh -F perm=x 38 | -A exit,never -F path=/bin/grep -F perm=x 39 | -A exit,never -F path=/bin/egrep -F perm=x 40 | -A exit,never -F path=/usr/bin/tail -F perm=x 41 | -A exit,never -F path=/bin/stty -F perm=x 42 | -A exit,never -F path=/usr/bin/tty -F perm=x 43 | -A exit,never -F path=/usr/bin/wc -F perm=x 44 | -A exit,never -F path=/bin/ping -F perm=x 45 | -A exit,never -F path=/bin/sleep -F perm=x 46 | -A exit,never -F path=/bin/touch -F perm=x 47 | 48 | # Setup the exec monitoring for all other cases 49 | -a exit,always -F arch=b64 -S execve -k exec 50 | #-a exit,always -F arch=b32 -S execve -k exec 51 | 52 | #-a entry,always -S clone -S fork -S vfork 53 | #-a entry,always -S access -F a1=4 54 | 55 | ## Log changes to system configuration files. 56 | # Modify audit configuration 57 | -w /etc/audit/ -p wa -k audit 58 | 59 | # Modify startup 60 | -w /sbin/init -p wa -k init 61 | -w /etc/systemd -p wa -k init 62 | 63 | # Modify PAM 64 | -w /etc/pam.d -p wa -k pam 65 | -w /etc/security -p wa -k pam 66 | -w /lib/security -p wa -k pam 67 | 68 | # Users 69 | -w /etc/group -p wa -k user 70 | -w /etc/passwd -p wa -k user 71 | -w /etc/gshadow -p wa -k user 72 | -w /etc/shadow -p wa -k user 73 | -w /etc/sudoers -p wa -k user 74 | 75 | 76 | # Time changes 77 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change 78 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 79 | -------------------------------------------------------------------------------- /audit_decoder.lua: -------------------------------------------------------------------------------- 1 | -- Place this file in usr/share/heka/lua_decoders/ and run the heka config file 2 | local l = require 'lpeg' 3 | 4 | l.locale(l) 5 | local num = (l.digit^1 * "." * l.digit^1) / tonumber 6 | local name = l.upper^1*l.P("_")^-1* l.upper^0 7 | local type = l.P("type=")*l.Cg(name,"Type") 8 | local timestamp = l.P("msg=audit(")*l.Cg(num,"Timestamp") 9 | local serial = l.P(":")*l.Cg(l.digit^1/tonumber,"serialnum") --Taking a integer for now 10 | 11 | local space = l.space^0 12 | local fieldname = l.C(l.alpha^1* (l.alnum + "-" + "_")^0) 13 | local quoted = '"' * l.Cs( (l.P'\\"' / '"' + (l.P(1) - '"'))^0 ) * '"' 14 | local single_quoted = "'" * l.Cs( (l.P"\\'" / "'" + (l.P(1) - "'") )^0 )*"'" 15 | 16 | local numeric = l.C(l.digit^1 * #l.space^1) / tonumber 17 | local unquoted = l.C(l.alnum^1+ l.R"!~"^1) 18 | local fieldvalue = quoted +single_quoted + numeric + unquoted 19 | local sep = space 20 | local pair = l.Cg(fieldname * "=" * fieldvalue) * sep^-1 21 | local text = l.Cg( (1-pair)^0,"message" )*sep^-1 22 | local tab = l.P("):")* space*(text)*l.Cg( l.Cf(l.Ct("") * pair^0, rawset),"Fields") 23 | 24 | grammar = l.Ct(type*l.space^-1*timestamp*serial*tab) 25 | 26 | local payload_keep = read_config("payload_keep") 27 | 28 | local msg_type = read_config("type") 29 | 30 | local msg = { 31 | Type = nil, 32 | Payload = nil, 33 | Fields = nil, 34 | Timestamp = nil, 35 | } 36 | require "os" 37 | 38 | function process_message() 39 | 40 | local data = read_message("Payload") 41 | 42 | msg = grammar:match(data) 43 | 44 | if not msg then 45 | return -1 46 | end 47 | 48 | if payload_keep then 49 | msg.Payload = data 50 | end 51 | local t = msg.Timestamp 52 | 53 | msg.Timestamp = os.date("%Y-%m-%d %H:%M:%S",t) 54 | 55 | msg.Fields["type"] = msg.Type --Event Type 56 | msg.Fields["serialNum"] = msg.serialnum 57 | --For special cases like type = AVC 58 | if msg.message ~= "" then 59 | msg.Fields["msgdata"] = msg.message 60 | else 61 | msg.message = nil 62 | end 63 | 64 | msg.serialnum = nil 65 | msg.Type = msg_type 66 | 67 | if not pcall(inject_message, msg) then return -1 end 68 | 69 | return 0 70 | end 71 | -------------------------------------------------------------------------------- /heka.toml: -------------------------------------------------------------------------------- 1 | [hekad] 2 | maxprocs = 2 3 | 4 | [Audit] 5 | type = "LogstreamerInput" 6 | log_directory = "/tmp/" 7 | file_match = 'log' 8 | decoder = "audit_decoder" 9 | #Can be tested with standard audit logs too 10 | #log_directory = "/var/log/audit" 11 | #file_match = 'audit.log\.?(?P\d*)' 12 | #priority = ["^Seq"] 13 | 14 | 15 | [audit_decoder] 16 | type = "SandboxDecoder" 17 | script_type = "lua" 18 | filename = "lua_decoders/audit_decoder.lua" 19 | 20 | [audit_decoder.config] 21 | type="audit_log" 22 | payload_keep = false 23 | 24 | [AuditUniqueCalls] 25 | type = "SandboxFilter" 26 | filename = "lua_filters/unique_items.lua" 27 | ticker_interval = 10 28 | preserve_data = true 29 | message_matcher = "Type == 'audit_log'" 30 | 31 | [AuditUniqueCalls.config] 32 | enable_delta = true 33 | message_variable = "Fields[comm]" 34 | title = "Estimated Activities" 35 | preservation_version = 0 36 | 37 | [AuditTypeFrequent] 38 | type = "SandboxFilter" 39 | filename = "lua_filters/frequent_items.lua" 40 | ticker_interval = 10 41 | preserve_data = true 42 | message_matcher = "Type == 'audit_log'" 43 | 44 | 45 | [AuditTypeFrequent.config] 46 | message_variable = "Fields[type]" 47 | max_items = 10000 48 | min_output_weight = 100 49 | reset_days = 1 50 | 51 | [RstEncoder] 52 | 53 | [LogOutput] 54 | message_matcher = "Type == 'audit_log'" #"TRUE" 55 | encoder = "ESJsonEncoder" 56 | 57 | [ESJsonEncoder] 58 | index = "%{Type}-%{2006.01.02}" 59 | es_index_from_timestamp = true 60 | type_name = "%{Type}" 61 | 62 | [FileOutput] 63 | message_matcher = "Type == 'audit_log'" 64 | encoder = "ESJsonEncoder" 65 | path = "/tmp/output" 66 | 67 | 68 | #[ElasticSearchOutput] 69 | #message_matcher = "Type == 'audit_log'" 70 | #server = "http://localhost:9200" 71 | #flush_interval = 5000 72 | #flush_count = 10 73 | #encoder = "ESJsonEncoder" 74 | 75 | #[CarbonOutput] 76 | #message_matcher = "Type == 'heka.statmetric'" 77 | #address = "127.0.0.1:2003" 78 | 79 | 80 | [DashboardOutput] 81 | address = "127.0.0.1:4352" 82 | ticker_interval = 10 83 | working_directory = "dashboard" 84 | static_directory = "/usr/share/heka/dasher" 85 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "./libaudit-go" 5 | "log" 6 | "os" 7 | "syscall" 8 | "encoding/json" 9 | "os/exec" 10 | "strconv" 11 | "log/syslog" 12 | "fmt" 13 | ) 14 | 15 | 16 | var done chan bool 17 | var debug bool 18 | var sysLog *syslog.Writer 19 | 20 | func logLine(data string) { 21 | if sysLog == nil { 22 | sysLog, _ = syslog.Dial("", "", syslog.LOG_LOCAL0|syslog.LOG_WARNING, "auditd") 23 | } 24 | if data != "" { 25 | sysLog.Write([]byte(data)) 26 | } 27 | } 28 | 29 | 30 | func EventCallback(msg *netlinkAudit.AuditEvent, ce chan error, args ...interface{}) { 31 | 32 | if msg != nil { 33 | // convert to JSON 34 | jsonString, err := json.Marshal(msg.Data) 35 | if err != nil { 36 | log.Println(err) 37 | } else { 38 | log.Println("Type="+msg.Type +" Info="+string(jsonString)) 39 | } 40 | 41 | //f := args[0].(os.File) 42 | //_, err = f.WriteString(msg.Raw) 43 | 44 | logLine(string(jsonString)) 45 | if err != nil { 46 | log.Println("Writing Error!!", err) 47 | } 48 | } 49 | } 50 | 51 | func main() { 52 | // Request NetlinkSocket 53 | s, err := netlinkAudit.NewNetlinkConnection() 54 | if err != nil { 55 | log.Println(err) 56 | log.Fatalln("Error while availing socket, Exiting") 57 | } 58 | defer s.Close() 59 | 60 | dir, err := os.Getwd() 61 | if err != nil { 62 | log.Fatal(err) 63 | } 64 | 65 | 66 | var out []byte 67 | if len(os.Args) > 1 { 68 | out, err = exec.Command(dir+"/tools/rules2json.py", dir+"/"+os.Args[1]).Output() 69 | if err != nil { 70 | log.Fatal(err) 71 | } 72 | } else { 73 | fmt.Println("Usage: sudo go run main.go audit.rules") 74 | os.Exit(0) 75 | } 76 | 77 | var m interface{} 78 | err = json.Unmarshal(out, &m) 79 | rules:= m.(map[string]interface{}) 80 | 81 | // Enable Audit 82 | err = netlinkAudit.AuditSetEnabled(s, 1) 83 | if err != nil { 84 | log.Fatal("Error while enabling Audit", err) 85 | } 86 | 87 | // Check if Audit is enabled 88 | status, err := netlinkAudit.AuditIsEnabled(s) 89 | 90 | if err == nil && status == 1 { 91 | log.Println("Enabled Audit") 92 | } else if err == nil && status == 0 { 93 | log.Fatalln("Audit Not Enabled") 94 | } else { 95 | log.Fatalln("Error while fetching status", err) 96 | } 97 | 98 | // Set the maximum number of messages 99 | // that the kernel will send per second 100 | var i string 101 | if _, ok := rules["rate"]; ok { 102 | i = rules["rate"].(string) 103 | } else { 104 | i = "600" 105 | } 106 | r,err := strconv.Atoi(i) 107 | if err != nil { 108 | log.Fatalln("Error converting rate limit to integer", err) 109 | } 110 | 111 | err = netlinkAudit.AuditSetRateLimit(s, r) 112 | if err != nil { 113 | log.Fatalln("Error Setting Rate Limit", err) 114 | } 115 | 116 | // Set max limit audit message queue 117 | if _, ok := rules["buffer"]; ok { 118 | i = rules["rate"].(string) 119 | } else { 120 | i = "420" 121 | } 122 | b, _ := strconv.Atoi(i) 123 | err = netlinkAudit.AuditSetBacklogLimit(s, b) 124 | if err != nil { 125 | log.Fatalln("Error Setting Backlog Limit", err) 126 | } 127 | 128 | 129 | // Register current pid with audit 130 | err = netlinkAudit.AuditSetPid(s, uint32(syscall.Getpid())) 131 | if err == nil { 132 | log.Println("Set pid successful") 133 | } 134 | 135 | //Delete all rules 136 | if _, ok := rules["delete"]; ok { 137 | log.Println("Deleting all rules") 138 | err = netlinkAudit.DeleteAllRules(s) 139 | if err != nil { 140 | log.Fatalln("Deleting Rules Unsuccessful, Exiting", err) 141 | } else { 142 | log.Println("Done setting syscall.") 143 | } 144 | } 145 | 146 | // Set audit rules 147 | err = netlinkAudit.SetRules(s, out) 148 | if err != nil { 149 | log.Fatalln("Setting Rule Unsuccessful: ", err) 150 | } 151 | 152 | 153 | errchan := make(chan error) 154 | 155 | // Go rutine to monitor events and feet AuditEvent type events to the callback 156 | netlinkAudit.GetAuditEvents(s, EventCallback, errchan) 157 | 158 | 159 | /*f, err := os.OpenFile("/tmp/log", os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0660) 160 | if err != nil { 161 | log.Fatalln("Unable to open file") 162 | } 163 | defer f.Close()*/ 164 | 165 | select {} 166 | } 167 | -------------------------------------------------------------------------------- /tools/audit.rules.json: -------------------------------------------------------------------------------- 1 | { 2 | "delete": true, 3 | "enable": "1", 4 | "buffer": "16348", 5 | "rate": "500", 6 | "file_rules": [ 7 | { 8 | "path": "/etc/audit/", 9 | "key": "audit", 10 | "permission": "wa" 11 | }, 12 | { 13 | "path": "/etc/audisp/", 14 | "key": "audit", 15 | "permission": "wa" 16 | }, 17 | { 18 | "path": "/etc/sysconfig/auditd", 19 | "key": "audit", 20 | "permission": "wa" 21 | }, 22 | { 23 | "path": "/etc/libaudit.conf", 24 | "key": "audit", 25 | "permission": "wa" 26 | }, 27 | { 28 | "path": "/etc/rsyslog.conf", 29 | "key": "syslog", 30 | "permission": "wa" 31 | }, 32 | { 33 | "path": "/etc/rsyslog-ng/", 34 | "key": "syslog" 35 | }, 36 | { 37 | "path": "/etc/syslog.conf", 38 | "key": "syslog", 39 | "permission": "wa" 40 | }, 41 | { 42 | "path": "/etc/syslog-ng.conf", 43 | "key": "syslog", 44 | "permission": "wa" 45 | }, 46 | { 47 | "path": "/etc/syslog-ng/", 48 | "key": "syslog", 49 | "permission": "wa" 50 | }, 51 | { 52 | "path": "/data/hekad/hekad.toml", 53 | "key": "heka", 54 | "permission": "wa" 55 | }, 56 | { 57 | "path": "/etc/hekad/hekad.toml", 58 | "key": "heka", 59 | "permission": "wa" 60 | }, 61 | { 62 | "path": "/etc/cron.allow", 63 | "key": "cron", 64 | "permission": "wa" 65 | }, 66 | { 67 | "path": "/etc/cron.deny", 68 | "key": "cron", 69 | "permission": "wa" 70 | }, 71 | { 72 | "path": "/etc/cron.d/", 73 | "key": "cron", 74 | "permission": "wa" 75 | }, 76 | { 77 | "path": "/etc/cron.daily/", 78 | "key": "cron", 79 | "permission": "wa" 80 | }, 81 | { 82 | "path": "/etc/cron.hourly/", 83 | "key": "cron", 84 | "permission": "wa" 85 | }, 86 | { 87 | "path": "/etc/cron.monthly/", 88 | "key": "cron", 89 | "permission": "wa" 90 | }, 91 | { 92 | "path": "/etc/cron.weekly/", 93 | "key": "cron", 94 | "permission": "wa" 95 | }, 96 | { 97 | "path": "/etc/crontab", 98 | "key": "cron", 99 | "permission": "wa" 100 | }, 101 | { 102 | "path": "/var/spool/cron/root", 103 | "key": "cron", 104 | "permission": "wa" 105 | }, 106 | { 107 | "path": "/etc/rc.d/init.d/", 108 | "key": "init", 109 | "permission": "wa" 110 | }, 111 | { 112 | "path": "/sbin/init", 113 | "key": "init", 114 | "permission": "wa" 115 | }, 116 | { 117 | "path": "/etc/inittab", 118 | "key": "init", 119 | "permission": "wa" 120 | }, 121 | { 122 | "path": "/etc/systemd", 123 | "key": "init", 124 | "permission": "wa" 125 | }, 126 | { 127 | "path": "/etc/pam.d", 128 | "key": "pam", 129 | "permission": "wa" 130 | }, 131 | { 132 | "path": "/etc/security", 133 | "key": "pam", 134 | "permission": "wa" 135 | }, 136 | { 137 | "path": "/lib/security", 138 | "key": "pam", 139 | "permission": "wa" 140 | }, 141 | { 142 | "path": "/etc/sshd", 143 | "key": "sshd", 144 | "permission": "wa" 145 | }, 146 | { 147 | "path": "/etc/group", 148 | "key": "user", 149 | "permission": "wa" 150 | }, 151 | { 152 | "path": "/etc/passwd", 153 | "key": "user", 154 | "permission": "wa" 155 | }, 156 | { 157 | "path": "/etc/gshadow", 158 | "key": "user", 159 | "permission": "wa" 160 | }, 161 | { 162 | "path": "/etc/shadow", 163 | "key": "user", 164 | "permission": "wa" 165 | }, 166 | { 167 | "path": "/etc/security/opasswd", 168 | "key": "user", 169 | "permission": "wa" 170 | }, 171 | { 172 | "path": "/etc/sudoers", 173 | "key": "user", 174 | "permission": "wa" 175 | }, 176 | { 177 | "path": "/etc/localtime", 178 | "key": "time-change", 179 | "permission": "wa" 180 | }, 181 | { 182 | "path": "/usr/bin", 183 | "key": "binaries", 184 | "permission": "wa" 185 | }, 186 | { 187 | "path": "/bin", 188 | "key": "binaries", 189 | "permission": "wa" 190 | }, 191 | { 192 | "path": "/usr/sbin", 193 | "key": "binaries", 194 | "permission": "wa" 195 | }, 196 | { 197 | "path": "/sbin", 198 | "key": "binaries", 199 | "permission": "wa" 200 | }, 201 | { 202 | "path": "/usr/local/bin", 203 | "key": "binaries", 204 | "permission": "wa" 205 | }, 206 | { 207 | "path": "/usr/local/sbin", 208 | "key": "binaries", 209 | "permission": "wa" 210 | } 211 | ], 212 | "syscall_rules": [ 213 | { 214 | "key": "bypass", 215 | "fields": [ 216 | { 217 | "name": "arch", 218 | "value": 64, 219 | "op": "eq" 220 | } 221 | ], 222 | "syscalls": [ 223 | "personality" 224 | ], 225 | "actions": [ 226 | "always", 227 | "exit" 228 | ] 229 | }, 230 | { 231 | "key": "bypass", 232 | "fields": [ 233 | { 234 | "name": "arch", 235 | "value": 32, 236 | "op": "eq" 237 | } 238 | ], 239 | "syscalls": [ 240 | "personality" 241 | ], 242 | "actions": [ 243 | "always", 244 | "exit" 245 | ] 246 | }, 247 | { 248 | "fields": [ 249 | { 250 | "name": "dir", 251 | "value": "/usr/lib/nagios/plugins", 252 | "op": "eq" 253 | }, 254 | { 255 | "name": "perm", 256 | "value": "x", 257 | "op": "eq" 258 | } 259 | ], 260 | "actions": [ 261 | "exit", 262 | "never" 263 | ] 264 | }, 265 | { 266 | "fields": [ 267 | { 268 | "name": "dir", 269 | "value": "/usr/lib64/nagios/plugins", 270 | "op": "eq" 271 | }, 272 | { 273 | "name": "perm", 274 | "value": "x", 275 | "op": "eq" 276 | } 277 | ], 278 | "actions": [ 279 | "exit", 280 | "never" 281 | ] 282 | }, 283 | { 284 | "fields": [ 285 | { 286 | "name": "path", 287 | "value": "/opt/compaq/utils/usb-device.sh", 288 | "op": "eq" 289 | }, 290 | { 291 | "name": "perm", 292 | "value": "x", 293 | "op": "eq" 294 | } 295 | ], 296 | "actions": [ 297 | "exit", 298 | "never" 299 | ] 300 | }, 301 | { 302 | "fields": [ 303 | { 304 | "name": "path", 305 | "value": "/bin/ls", 306 | "op": "eq" 307 | }, 308 | { 309 | "name": "perm", 310 | "value": "x", 311 | "op": "eq" 312 | } 313 | ], 314 | "actions": [ 315 | "exit", 316 | "never" 317 | ] 318 | }, 319 | { 320 | "fields": [ 321 | { 322 | "name": "path", 323 | "value": "/bin/sh", 324 | "op": "eq" 325 | }, 326 | { 327 | "name": "perm", 328 | "value": "x", 329 | "op": "eq" 330 | } 331 | ], 332 | "actions": [ 333 | "exit", 334 | "never" 335 | ] 336 | }, 337 | { 338 | "fields": [ 339 | { 340 | "name": "path", 341 | "value": "/bin/grep", 342 | "op": "eq" 343 | }, 344 | { 345 | "name": "perm", 346 | "value": "x", 347 | "op": "eq" 348 | } 349 | ], 350 | "actions": [ 351 | "exit", 352 | "never" 353 | ] 354 | }, 355 | { 356 | "fields": [ 357 | { 358 | "name": "path", 359 | "value": "/bin/egrep", 360 | "op": "eq" 361 | }, 362 | { 363 | "name": "perm", 364 | "value": "x", 365 | "op": "eq" 366 | } 367 | ], 368 | "actions": [ 369 | "exit", 370 | "never" 371 | ] 372 | }, 373 | { 374 | "fields": [ 375 | { 376 | "name": "path", 377 | "value": "/bin/less", 378 | "op": "eq" 379 | }, 380 | { 381 | "name": "perm", 382 | "value": "x", 383 | "op": "eq" 384 | } 385 | ], 386 | "actions": [ 387 | "exit", 388 | "never" 389 | ] 390 | }, 391 | { 392 | "fields": [ 393 | { 394 | "name": "path", 395 | "value": "/usr/bin/lesspipe.sh", 396 | "op": "eq" 397 | }, 398 | { 399 | "name": "perm", 400 | "value": "x", 401 | "op": "eq" 402 | } 403 | ], 404 | "actions": [ 405 | "exit", 406 | "never" 407 | ] 408 | }, 409 | { 410 | "fields": [ 411 | { 412 | "name": "path", 413 | "value": "/usr/bin/tail", 414 | "op": "eq" 415 | }, 416 | { 417 | "name": "perm", 418 | "value": "x", 419 | "op": "eq" 420 | } 421 | ], 422 | "actions": [ 423 | "exit", 424 | "never" 425 | ] 426 | }, 427 | { 428 | "fields": [ 429 | { 430 | "name": "path", 431 | "value": "/sbin/consoletype", 432 | "op": "eq" 433 | }, 434 | { 435 | "name": "perm", 436 | "value": "x", 437 | "op": "eq" 438 | } 439 | ], 440 | "actions": [ 441 | "exit", 442 | "never" 443 | ] 444 | }, 445 | { 446 | "fields": [ 447 | { 448 | "name": "path", 449 | "value": "/bin/stty", 450 | "op": "eq" 451 | }, 452 | { 453 | "name": "perm", 454 | "value": "x", 455 | "op": "eq" 456 | } 457 | ], 458 | "actions": [ 459 | "exit", 460 | "never" 461 | ] 462 | }, 463 | { 464 | "fields": [ 465 | { 466 | "name": "path", 467 | "value": "/usr/bin/tty", 468 | "op": "eq" 469 | }, 470 | { 471 | "name": "perm", 472 | "value": "x", 473 | "op": "eq" 474 | } 475 | ], 476 | "actions": [ 477 | "exit", 478 | "never" 479 | ] 480 | }, 481 | { 482 | "fields": [ 483 | { 484 | "name": "path", 485 | "value": "/bin/tput", 486 | "op": "eq" 487 | }, 488 | { 489 | "name": "perm", 490 | "value": "x", 491 | "op": "eq" 492 | } 493 | ], 494 | "actions": [ 495 | "exit", 496 | "never" 497 | ] 498 | }, 499 | { 500 | "fields": [ 501 | { 502 | "name": "path", 503 | "value": "/usr/bin/file", 504 | "op": "eq" 505 | }, 506 | { 507 | "name": "perm", 508 | "value": "x", 509 | "op": "eq" 510 | } 511 | ], 512 | "actions": [ 513 | "exit", 514 | "never" 515 | ] 516 | }, 517 | { 518 | "fields": [ 519 | { 520 | "name": "path", 521 | "value": "/usr/bin/w", 522 | "op": "eq" 523 | }, 524 | { 525 | "name": "perm", 526 | "value": "x", 527 | "op": "eq" 528 | } 529 | ], 530 | "actions": [ 531 | "exit", 532 | "never" 533 | ] 534 | }, 535 | { 536 | "fields": [ 537 | { 538 | "name": "path", 539 | "value": "/bin/netstat", 540 | "op": "eq" 541 | }, 542 | { 543 | "name": "perm", 544 | "value": "x", 545 | "op": "eq" 546 | } 547 | ], 548 | "actions": [ 549 | "exit", 550 | "never" 551 | ] 552 | }, 553 | { 554 | "fields": [ 555 | { 556 | "name": "path", 557 | "value": "/bin/uname", 558 | "op": "eq" 559 | }, 560 | { 561 | "name": "perm", 562 | "value": "x", 563 | "op": "eq" 564 | } 565 | ], 566 | "actions": [ 567 | "exit", 568 | "never" 569 | ] 570 | }, 571 | { 572 | "fields": [ 573 | { 574 | "name": "path", 575 | "value": "/bin/basename", 576 | "op": "eq" 577 | }, 578 | { 579 | "name": "perm", 580 | "value": "x", 581 | "op": "eq" 582 | } 583 | ], 584 | "actions": [ 585 | "exit", 586 | "never" 587 | ] 588 | }, 589 | { 590 | "fields": [ 591 | { 592 | "name": "path", 593 | "value": "/usr/bin/which", 594 | "op": "eq" 595 | }, 596 | { 597 | "name": "perm", 598 | "value": "x", 599 | "op": "eq" 600 | } 601 | ], 602 | "actions": [ 603 | "exit", 604 | "never" 605 | ] 606 | }, 607 | { 608 | "fields": [ 609 | { 610 | "name": "path", 611 | "value": "/bin/netstat", 612 | "op": "eq" 613 | }, 614 | { 615 | "name": "perm", 616 | "value": "x", 617 | "op": "eq" 618 | } 619 | ], 620 | "actions": [ 621 | "exit", 622 | "never" 623 | ] 624 | }, 625 | { 626 | "fields": [ 627 | { 628 | "name": "path", 629 | "value": "/usr/bin/netstat", 630 | "op": "eq" 631 | }, 632 | { 633 | "name": "perm", 634 | "value": "x", 635 | "op": "eq" 636 | } 637 | ], 638 | "actions": [ 639 | "exit", 640 | "never" 641 | ] 642 | }, 643 | { 644 | "fields": [ 645 | { 646 | "name": "path", 647 | "value": "/bin/hostname", 648 | "op": "eq" 649 | }, 650 | { 651 | "name": "perm", 652 | "value": "x", 653 | "op": "eq" 654 | } 655 | ], 656 | "actions": [ 657 | "exit", 658 | "never" 659 | ] 660 | }, 661 | { 662 | "fields": [ 663 | { 664 | "name": "path", 665 | "value": "/usr/bin/wc", 666 | "op": "eq" 667 | }, 668 | { 669 | "name": "perm", 670 | "value": "x", 671 | "op": "eq" 672 | } 673 | ], 674 | "actions": [ 675 | "exit", 676 | "never" 677 | ] 678 | }, 679 | { 680 | "fields": [ 681 | { 682 | "name": "path", 683 | "value": "/usr/bin/gmetric", 684 | "op": "eq" 685 | }, 686 | { 687 | "name": "perm", 688 | "value": "x", 689 | "op": "eq" 690 | } 691 | ], 692 | "actions": [ 693 | "exit", 694 | "never" 695 | ] 696 | }, 697 | { 698 | "fields": [ 699 | { 700 | "name": "path", 701 | "value": "/sbin/ethtool", 702 | "op": "eq" 703 | }, 704 | { 705 | "name": "perm", 706 | "value": "x", 707 | "op": "eq" 708 | } 709 | ], 710 | "actions": [ 711 | "exit", 712 | "never" 713 | ] 714 | }, 715 | { 716 | "fields": [ 717 | { 718 | "name": "path", 719 | "value": "/usr/bin/sed", 720 | "op": "eq" 721 | }, 722 | { 723 | "name": "perm", 724 | "value": "x", 725 | "op": "eq" 726 | } 727 | ], 728 | "actions": [ 729 | "exit", 730 | "never" 731 | ] 732 | }, 733 | { 734 | "fields": [ 735 | { 736 | "name": "path", 737 | "value": "/bin/sed", 738 | "op": "eq" 739 | }, 740 | { 741 | "name": "perm", 742 | "value": "x", 743 | "op": "eq" 744 | } 745 | ], 746 | "actions": [ 747 | "exit", 748 | "never" 749 | ] 750 | }, 751 | { 752 | "fields": [ 753 | { 754 | "name": "path", 755 | "value": "/bin/ping", 756 | "op": "eq" 757 | }, 758 | { 759 | "name": "perm", 760 | "value": "x", 761 | "op": "eq" 762 | } 763 | ], 764 | "actions": [ 765 | "exit", 766 | "never" 767 | ] 768 | }, 769 | { 770 | "fields": [ 771 | { 772 | "name": "path", 773 | "value": "/sbin/lsmod", 774 | "op": "eq" 775 | }, 776 | { 777 | "name": "perm", 778 | "value": "x", 779 | "op": "eq" 780 | } 781 | ], 782 | "actions": [ 783 | "exit", 784 | "never" 785 | ] 786 | }, 787 | { 788 | "fields": [ 789 | { 790 | "name": "path", 791 | "value": "/bin/sleep", 792 | "op": "eq" 793 | }, 794 | { 795 | "name": "perm", 796 | "value": "x", 797 | "op": "eq" 798 | } 799 | ], 800 | "actions": [ 801 | "exit", 802 | "never" 803 | ] 804 | }, 805 | { 806 | "fields": [ 807 | { 808 | "name": "path", 809 | "value": "/bin/cut", 810 | "op": "eq" 811 | }, 812 | { 813 | "name": "perm", 814 | "value": "x", 815 | "op": "eq" 816 | } 817 | ], 818 | "actions": [ 819 | "exit", 820 | "never" 821 | ] 822 | }, 823 | { 824 | "fields": [ 825 | { 826 | "name": "path", 827 | "value": "/bin/touch", 828 | "op": "eq" 829 | }, 830 | { 831 | "name": "perm", 832 | "value": "x", 833 | "op": "eq" 834 | } 835 | ], 836 | "actions": [ 837 | "exit", 838 | "never" 839 | ] 840 | }, 841 | { 842 | "fields": [ 843 | { 844 | "name": "path", 845 | "value": "/bin/env", 846 | "op": "eq" 847 | }, 848 | { 849 | "name": "perm", 850 | "value": "x", 851 | "op": "eq" 852 | } 853 | ], 854 | "actions": [ 855 | "exit", 856 | "never" 857 | ] 858 | }, 859 | { 860 | "key": "exec", 861 | "fields": [ 862 | { 863 | "name": "arch", 864 | "value": 64, 865 | "op": "eq" 866 | } 867 | ], 868 | "syscalls": [ 869 | "execve" 870 | ], 871 | "actions": [ 872 | "exit", 873 | "always" 874 | ] 875 | }, 876 | { 877 | "key": "exec", 878 | "fields": [ 879 | { 880 | "name": "arch", 881 | "value": 32, 882 | "op": "eq" 883 | } 884 | ], 885 | "syscalls": [ 886 | "execve" 887 | ], 888 | "actions": [ 889 | "exit", 890 | "always" 891 | ] 892 | }, 893 | { 894 | "syscalls": [ 895 | "clone", 896 | "fork", 897 | "vfork" 898 | ], 899 | "actions": [ 900 | "entry", 901 | "always" 902 | ] 903 | }, 904 | { 905 | "fields": [ 906 | { 907 | "name": "a1", 908 | "value": 4, 909 | "op": "eq" 910 | } 911 | ], 912 | "syscalls": [ 913 | "access" 914 | ], 915 | "actions": [ 916 | "entry", 917 | "always" 918 | ] 919 | }, 920 | { 921 | "key": "key_name`", 922 | "fields": [ 923 | { 924 | "name": "field", 925 | "value": "value", 926 | "op": "eq" 927 | } 928 | ], 929 | "syscalls": [ 930 | "system_call" 931 | ], 932 | "actions": [ 933 | "action", 934 | "filter" 935 | ] 936 | }, 937 | { 938 | "key": "rename", 939 | "fields": [ 940 | { 941 | "name": "arch", 942 | "value": 64, 943 | "op": "eq" 944 | }, 945 | { 946 | "name": "\"auid>", 947 | "value": "1000\"", 948 | "op": "eq" 949 | } 950 | ], 951 | "syscalls": [ 952 | "rename", 953 | "renameat" 954 | ], 955 | "actions": [ 956 | "always", 957 | "exit" 958 | ] 959 | }, 960 | { 961 | "key": "hosts_file_change", 962 | "fields": [ 963 | { 964 | "name": "path", 965 | "value": "/etc/hosts", 966 | "op": "eq" 967 | }, 968 | { 969 | "name": "perm", 970 | "value": "wa", 971 | "op": "eq" 972 | } 973 | ], 974 | "actions": [ 975 | "always", 976 | "exit" 977 | ] 978 | }, 979 | { 980 | "key": "time-change", 981 | "fields": [ 982 | { 983 | "name": "arch", 984 | "value": 32, 985 | "op": "eq" 986 | } 987 | ], 988 | "syscalls": [ 989 | "adjtimex", 990 | "settimeofday" 991 | ], 992 | "actions": [ 993 | "always", 994 | "exit" 995 | ] 996 | }, 997 | { 998 | "key": "time-change", 999 | "fields": [ 1000 | { 1001 | "name": "arch", 1002 | "value": 64, 1003 | "op": "eq" 1004 | } 1005 | ], 1006 | "syscalls": [ 1007 | "adjtimex", 1008 | "settimeofday" 1009 | ], 1010 | "actions": [ 1011 | "always", 1012 | "exit" 1013 | ] 1014 | }, 1015 | { 1016 | "key": "module", 1017 | "fields": [ 1018 | { 1019 | "name": "arch", 1020 | "value": 64, 1021 | "op": "eq" 1022 | } 1023 | ], 1024 | "syscalls": [ 1025 | "init_module" 1026 | ], 1027 | "actions": [ 1028 | "exit", 1029 | "always" 1030 | ] 1031 | }, 1032 | { 1033 | "key": "module", 1034 | "fields": [ 1035 | { 1036 | "name": "arch", 1037 | "value": 32, 1038 | "op": "eq" 1039 | } 1040 | ], 1041 | "syscalls": [ 1042 | "init_module" 1043 | ], 1044 | "actions": [ 1045 | "exit", 1046 | "always" 1047 | ] 1048 | }, 1049 | { 1050 | "key": "kexec", 1051 | "fields": [ 1052 | { 1053 | "name": "arch", 1054 | "value": 64, 1055 | "op": "eq" 1056 | } 1057 | ], 1058 | "syscalls": [ 1059 | "kexec_load" 1060 | ], 1061 | "actions": [ 1062 | "exit", 1063 | "always" 1064 | ] 1065 | }, 1066 | { 1067 | "key": "kexec", 1068 | "fields": [ 1069 | { 1070 | "name": "arch", 1071 | "value": 32, 1072 | "op": "eq" 1073 | } 1074 | ], 1075 | "syscalls": [ 1076 | "kexec_load" 1077 | ], 1078 | "actions": [ 1079 | "exit", 1080 | "always" 1081 | ] 1082 | } 1083 | ] 1084 | } -------------------------------------------------------------------------------- /tools/audit2.rules: -------------------------------------------------------------------------------- 1 | audit.rules: 2 | # This file contains the auditctl rules that are loaded 3 | # whenever the audit daemon is started via the initscripts. 4 | # The rules are simply the parameters that would be passed 5 | # to auditctl. 6 | 7 | # First rule - delete all previous rules. 8 | -D 9 | 10 | ## Enable the kernel audit subsystem. 11 | # 1 means the configuration can be modified. 12 | # 2 means immutable until reboot (only set 2 at the *end* of the rule file - else you'll shoot yourself in the foot) 13 | -e 1 14 | 15 | # Increase the acching buffers to survive spikes, without dropping events. 16 | # You can make this bigger for busy systems. 17 | # Value is x times an audit record size in kernel memory. 18 | # Large value may use quite a few megs of kernel memory. 19 | -b 16348 20 | 21 | # Ignore errors (if file path doesn't exists, for example, don't stop processing rules). 22 | -i 23 | 24 | # Rate limit audit at the kernel level (msg/s) 25 | -r 500 26 | 27 | ## Generic logging 28 | # Bypass regular calls 29 | -a always,exit -F arch=b64 -S personality -k bypass 30 | -a always,exit -F arch=b32 -S personality -k bypass 31 | 32 | ## Exec logging 33 | # We're first excluding quite a few binaries from exec logging. 34 | # These are called often and do not provide significant value. 35 | -A exit,never -F dir=/usr/lib/nagios/plugins -F perm=x 36 | -A exit,never -F dir=/usr/lib64/nagios/plugins -F perm=x 37 | -A exit,never -F path=/opt/compaq/utils/usb-device.sh -F perm=x 38 | -A exit,never -F path=/bin/ls -F perm=x 39 | -A exit,never -F path=/bin/sh -F perm=x 40 | -A exit,never -F path=/bin/grep -F perm=x 41 | -A exit,never -F path=/bin/egrep -F perm=x 42 | -A exit,never -F path=/bin/less -F perm=x 43 | -A exit,never -F path=/usr/bin/lesspipe.sh -F perm=x 44 | -A exit,never -F path=/usr/bin/tail -F perm=x 45 | -A exit,never -F path=/sbin/consoletype -F perm=x 46 | -A exit,never -F path=/bin/stty -F perm=x 47 | -A exit,never -F path=/usr/bin/tty -F perm=x 48 | -A exit,never -F path=/bin/tput -F perm=x 49 | -A exit,never -F path=/usr/bin/file -F perm=x 50 | -A exit,never -F path=/usr/bin/w -F perm=x 51 | -A exit,never -F path=/bin/netstat -F perm=x 52 | -A exit,never -F path=/bin/uname -F perm=x 53 | -A exit,never -F path=/bin/basename -F perm=x 54 | -A exit,never -F path=/usr/bin/which -F perm=x 55 | -A exit,never -F path=/bin/netstat -F perm=x 56 | -A exit,never -F path=/usr/bin/netstat -F perm=x 57 | -A exit,never -F path=/bin/hostname -F perm=x 58 | -A exit,never -F path=/usr/bin/wc -F perm=x 59 | -A exit,never -F path=/usr/bin/gmetric -F perm=x 60 | -A exit,never -F path=/sbin/ethtool -F perm=x 61 | -A exit,never -F path=/usr/bin/sed -F perm=x 62 | -A exit,never -F path=/bin/sed -F perm=x 63 | -A exit,never -F path=/bin/ping -F perm=x 64 | -A exit,never -F path=/sbin/lsmod -F perm=x 65 | -A exit,never -F path=/bin/sleep -F perm=x 66 | -A exit,never -F path=/bin/cut -F perm=x 67 | -A exit,never -F path=/bin/touch -F perm=x 68 | # as we're getting the fork'd exec logged, so such programs as env are ok to exclude 69 | -A exit,never -F path=/bin/env -F perm=x 70 | 71 | # Setup the exec monitoring for all other cases 72 | -a exit,always -F arch=b64 -S execve -k exec 73 | -a exit,always -F arch=b32 -S execve -k exec 74 | 75 | -a entry,always -S clone -S fork -S vfork 76 | -a entry,always -S access -F a1=4 77 | -a action,filter -S system_call -F field=value -k key_name` 78 | -a always,exit -F arch=b64 -F "auid>=1000" -S rename -S renameat -k rename 79 | -a always,exit -F path=/etc/hosts -F perm=wa -k hosts_file_change 80 | 81 | ## Log changes to system configuration files. 82 | # Modify audit configuration 83 | -w /etc/audit/ -p wa -k audit 84 | -w /etc/audisp/ -p wa -k audit 85 | -w /etc/sysconfig/auditd -p wa -k audit 86 | -w /etc/libaudit.conf -p wa -k audit 87 | 88 | # Modify logging configuration 89 | -w /etc/rsyslog.conf -k syslog -p wa 90 | -w /etc/rsyslog-ng/ -k syslog 91 | -w /etc/syslog.conf -p wa -k syslog 92 | -w /etc/syslog-ng.conf -p wa -k syslog 93 | -w /etc/syslog-ng/ -p wa -k syslog 94 | -w /data/hekad/hekad.toml -p wa -k heka 95 | -w /etc/hekad/hekad.toml -p wa -k heka 96 | # Modify cron 97 | -w /etc/cron.allow -p wa -k cron 98 | -w /etc/cron.deny -p wa -k cron 99 | -w /etc/cron.d/ -p wa -k cron 100 | -w /etc/cron.daily/ -p wa -k cron 101 | -w /etc/cron.hourly/ -p wa -k cron 102 | -w /etc/cron.monthly/ -p wa -k cron 103 | -w /etc/cron.weekly/ -p wa -k cron 104 | -w /etc/crontab -p wa -k cron 105 | -w /var/spool/cron/root -p wa -k cron 106 | 107 | # Modify startup 108 | -w /etc/rc.d/init.d/ -p wa -k init 109 | -w /sbin/init -p wa -k init 110 | -w /etc/inittab -p wa -k init 111 | -w /etc/systemd -p wa -k init 112 | 113 | # Modify PAM 114 | -w /etc/pam.d -p wa -k pam 115 | -w /etc/security -p wa -k pam 116 | -w /lib/security -p wa -k pam 117 | 118 | # Modify SSHD 119 | -w /etc/sshd -p wa -k sshd 120 | 121 | # Users 122 | -w /etc/group -p wa -k user 123 | -w /etc/passwd -p wa -k user 124 | -w /etc/gshadow -p wa -k user 125 | -w /etc/shadow -p wa -k user 126 | -w /etc/security/opasswd -p wa -k user 127 | -w /etc/sudoers -p wa -k user 128 | 129 | # Time changes 130 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change 131 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 132 | 133 | -w /etc/localtime -p wa -k time-change 134 | 135 | # Module loading 136 | -a exit,always -F arch=b64 -S init_module -k module 137 | -a exit,always -F arch=b32 -S init_module -k module 138 | 139 | 140 | # Swapping kernel via kexec 141 | -a exit,always -F arch=b64 -S kexec_load -k kexec 142 | -a exit,always -F arch=b32 -S kexec_load -k kexec 143 | 144 | 145 | # Changes to binaries (common locations) 146 | -w /usr/bin -p wa -k binaries 147 | -w /bin -p wa -k binaries 148 | -w /usr/sbin -p wa -k binaries 149 | -w /sbin -p wa -k binaries 150 | -w /usr/local/bin -p wa -k binaries 151 | -w /usr/local/sbin -p wa -k binaries 152 | 153 | # uncomment to temporarily disable auditd 154 | #-D 155 | -------------------------------------------------------------------------------- /tools/rules2json.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # This file converts standard rules in audit.rules to json rules 4 | 5 | from collections import OrderedDict 6 | import json 7 | import sys 8 | import re 9 | 10 | if len(sys.argv) <= 1: 11 | print("No rule file specified") 12 | exit() 13 | 14 | with open(sys.argv[1], 'r') as my_file: 15 | rules = my_file.readlines() 16 | watches = [] 17 | syscalls = [] 18 | final = OrderedDict() 19 | for rule in rules: 20 | #ignore if don't start with '-' 21 | if rule[0] == "-": 22 | rule = rule.split() 23 | if rule[0] == "-w": 24 | # parse watches on file system 25 | watch_json = {'path':rule[1]} 26 | 27 | if len(rule) >= 2: 28 | if rule[2] == "-p": 29 | if len(rule) > 4 and rule[4] == "-k": 30 | watch_json['permission'] = rule[3] 31 | watch_json['key'] = rule[5] 32 | else: 33 | watch_json['permission'] = rule[3] 34 | elif rule[2] == "-k": 35 | if len(rule) > 4 and rule[4] == "-p": 36 | watch_json['permission'] = rule[5] 37 | watch_json['key'] = rule[3] 38 | else: 39 | watch_json['key'] = rule[3] 40 | else: 41 | print("Invalid rule: "+" ".join(rule)) 42 | exit() 43 | watches.append(watch_json) 44 | elif rule[0] == "-a" or rule[0] == "-A": 45 | #TODO: Add support for -A 46 | # parse syscalls 47 | actions = rule[1].split(",") 48 | syscall_json = {'actions':actions, "fields":[], "syscalls":[]} 49 | for i in range(2, len(rule)): 50 | if rule[i] == "-S": 51 | syscall_json["syscalls"].append(rule[i+1]) 52 | elif rule[i] == "-F": 53 | result = re.match("(.+)(!=|>=|<=|&=|=|>|<|&)(.+)", rule[i+1]) 54 | if result: 55 | op = result.group(2) 56 | if op == "!=": 57 | opval = "nt_eq" 58 | elif op == ">=": 59 | opval = "gt_or_eq" 60 | elif op == "<=": 61 | opval = "lt_or_eq" 62 | elif op == "&=": 63 | opval = "and_eq" 64 | elif op == "=": 65 | opval = "eq" 66 | elif op == ">": 67 | opval = "gt" 68 | elif op == "<": 69 | opval = "lt" 70 | elif op == "&": 71 | opval = "and" 72 | 73 | fieldname = result.group(1) 74 | fieldval = result.group(3) 75 | if fieldname == "arch": 76 | fieldval = int(fieldval[1:]) 77 | try: 78 | if fieldval.isdigit(): 79 | fieldval = int(fieldval) 80 | except: 81 | pass 82 | syscall_json["fields"].append({"name":fieldname, "op": opval, "value":fieldval}) 83 | elif rule[i] == "-k": 84 | syscall_json["key"] = rule[i+1] 85 | 86 | if not syscall_json["syscalls"]: 87 | del syscall_json["syscalls"] 88 | if not syscall_json["fields"]: 89 | del syscall_json["fields"] 90 | syscalls.append(syscall_json) 91 | elif rule[0] == "-D": 92 | final["delete"] = True 93 | elif rule[0] == "-b": 94 | final["buffer"] = rule[1] 95 | elif rule[0] == "-e": 96 | final["enable"] = rule[1] 97 | elif rule[0] == "-r": 98 | final["rate"] = rule[1] 99 | final["file_rules"] = watches 100 | final["syscall_rules"] = syscalls 101 | final = json.dumps(final, indent=4, separators=(',', ': ')) 102 | print(final) 103 | 104 | #with open('audit.rules.json', 'w') as outfile: 105 | #outfile.write(final) --------------------------------------------------------------------------------