audit

Recommendations

Info

PROCESSING : MESSAGE GROUPSan abstract example; executing “tail -f tsaudit.log”ungrouped- serial=43480, type=SYSCALL, syscall=“sys_execve”, exe=“/usr/bin/tail”- serial=43480, type=EXECVE, argc=2, a0=“tail”, a1=“tsaudit.log”- serial=43480, type=CWD, cwd=“/var/log”- serial=43480, type=PATH, name=“/usr/bin/tail”- serial=43480, type=EOEgrouped[]{“type" : "SYSCALL",“syscall" : "execve",“exe" : "/usr/bin/tail"},{“type" : "EXECVE",“argc" : 2,“argv” : [ “tail”, “tsaudit.log” ],},{“type" : "CWD",“cwd" : "/var/log"},{"type": "PATH","name": "/usr/bin/tail"}
PROCESSING : MESSAGE GROUPSA few more fun examples of grouping./var/resolvconf/interface$ cat eth0.dhclient nginx: int fd = open(“/www/index.html”); // fd == 13 fd = accept(“192.168.56.1:51997”); user “mthomas” started a pam session[]{"exe": "/bin/cat","comm": "cat","ses": 10,"auid": 4294967295,"pid": 31335,"ppid": 31334,"items": 2,"exit": 0,"success": "yes","syscall": "execve","epoch": 1399248110,"serial": 855516,"type": "SYSCALL"},{"a1": "eth0.dhclient","a0": "cat","argc": 2,"epoch": 1399248110,"type": "EXECVE"},{"cwd": "/run/resolvconf/interface","epoch": 1399248110,"type": "CWD"},{"name": "/bin/cat","epoch": 1399248110,"type": "PATH"}[]{"exe": "/usr/sbin/nginx","comm": "nginx","ses": 238,"pid": 966,"ppid": 965,"items": 1,"a3": "fffffffffffffffb","a2": 0,"a1": "800","a0": "ee7c05","exit": 13,"success": "yes","syscall": "open","epoch": 1392316421,"serial": 301316,"type": "SYSCALL"},{"cwd": "/","type": "CWD"},{"ogid": 0,"name": "/www/index.html","type": "PATH"}[]{"exe": "/usr/sbin/nginx","comm": "nginx","ses": 238,"pid": 966,"ppid": 965,"items": 0,"a3": "800","a2": "7fff8afba6cc","a1": "7fff8afba6d0","a0": 0,"exit": 12,"success": "yes","syscall": "accept4","epoch": 1392316421,"serial": 301314,"type": "SYSCALL"},{"saddr": "192.168.56.1","port": 51997,"prot": "ipv4","type": "SOCKADDR"}[]{}"res": "success","terminal": "ssh","addr": "192.168.56.1","hostname": "babby.local","exe": "/usr/sbin/sshd","acct": "mthomas","op": "PAM:session_open","ses": 24,"auid": 1000,"uid": 0,"pid": 10469,"epoch": 1393886985,"serial": 3393,"type": "USER_START"
Page 1: INELUCTABLE MODALITYOF LINUX AUDITA
Page 8 and 9: AUDIT IS NOT MAGICALwhat is the mea
Page 10 and 11: CAN’T STOP HERE, THISIS BAT COUNT
Page 12 and 13: FEAR AND LOATHING IN KERNEL/AUDIT.C
Page 14 and 15: FORMAT APPROBATION :)Just follow th
Page 16 and 17: THINE ENEMY LIES WITHIN LEGACYThe m
Page 18 and 19: RULE ONE THROUGH ∞An afterthought
Page 20 and 21: !! WARNING !!No statements about ho
Page 22 and 23: PROCESSING : RAW NETLINKcreating th
Page 24 and 25: PROCESSING : RAW NETLINKreceiving a
Page 28 and 29: PARSING“Every year, one out of te
Page 30 and 31: PARSING : BRUTE FORCEone of many ho
Page 32 and 33: PARSING AUDIT MESSAGEStaking things
Page 34 and 35: AND THIS
Page 36 and 37: FILTERINGExample : simple boolean f
Page 38 and 39: LOGGING : AUDITDOUTPUT TYPES1. File
Page 40 and 41: LOGGING : OUR WAY1. ZeroMQ2. Syslog
Page 43 and 44: CEREBRATION•Additional methods fo

audit

Create successful ePaper yourself

Delete template?

Save as template?