elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Closed Aegrah closed 3 months ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
efd6
commented
1 year ago AFAICS the integration is not altering this field and it's coming from auditbeat. It in turn is getting the value from github.com/elastic/go-libaudit here. This should probably be moved to beats.
andrewkroh
commented
1 year ago @Aegrah If you can enable the preserve_original_event option in the integration settings this will include the original messages that were received from the Linux kernel. That might help make is more clear where the problem is.
Aegrah
commented
1 year ago @andrewkroh I added the preserve_original_event option. Interesting.. So here's me running the command "dash -p" using a non-suid binary, which is also indicated by the suid=1005 within the original message:
{
"_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001",
"_id": "ZycqtYgB1fhN-eteZO5K",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "",
"id": "",
"ephemeral_id": "",
"type": "auditbeat",
"version": "8.8.0"
},
"process": {
"args": [
"dash",
"-p"
],
"parent": {
"pid": 2380071
},
"name": "dash",
"pid": 2380458,
"title": "dash -p",
"executable": "/usr/bin/dash"
},
"elastic_agent": {
"id": "b3cfb28b-925f-460e-b025-9bee61092a5e",
"version": "8.8.0",
"snapshot": false
},
"auditd": {
"result": "success",
"summary": {
"actor": {
"secondary": "1005",
"primary": "1005"
},
"how": "/usr/bin/dash",
"object": {
"type": "file",
"primary": "/usr/bin/dash"
}
},
"data": {
"argc": 2,
"a1": "55d85d70a000",
"syscall": "execve",
"a2": "55d85d720450",
"exit": "0",
"a3": "8",
"tty": "pts0",
"arch": "x86_64",
"a0": "55d85d60bc10"
},
"session": "1456",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"mode": "0100755",
"cap_fver": "0",
"inode": "1593",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"messages": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"message_type": "syscall",
"user": {
"saved": {
"id": "1005",
"group": {
"id": "1006"
}
},
"audit": {
"id": "1005"
},
"selinux": {
"user": "unconfined"
},
"filesystem": {
"id": "1005",
"group": {
"id": "1006"
}
}
}
},
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"cloud": {
"availability_zone": "europe-west4-a",
"instance": {
"name": "",
"id": ""
},
"provider": "gcp",
"machine": {
"type": "e2-standard-4"
},
"service": {
"name": "GCE"
},
"project": {
"id": ""
},
"region": "europe-west4",
"account": {
"id": ""
}
},
"@timestamp": "2023-06-13T14:30:33.304Z",
"file": {
"inode": "1593",
"mode": "0755",
"uid": "0",
"path": "/usr/bin/dash",
"gid": "0",
"device": "00:00"
},
"ecs": {
"version": "8.8.0"
},
"service": {
"type": "auditd"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "auditd_manager.auditd"
},
"host": {
"hostname": "",
"os": {
"kernel": "5.15.0-1034-gcp",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
],
"name": "",
"id": "",
"mac": [
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"sequence": 28864261,
"ingested": "2023-06-13T14:30:34Z",
"original": "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70",
"kind": "event",
"module": "auditd",
"action": "executed",
"type": [
"start"
],
"category": [
"process"
],
"dataset": "auditd_manager.auditd",
"outcome": "success"
},
"user": {
"id": "1005",
"group": {
"id": "1006"
}
}
},
"fields": {
"file.mode": [
"0755"
],
"file.path": [
"/usr/bin/dash"
],
"elastic_agent.version": [
"8.8.0"
],
"event.category": [
"process"
],
"process.name.text": [
"dash"
],
"auditd.user.saved.id": [
"1005"
],
"process.parent.pid": [
2380071
],
"host.hostname": [
""
],
"auditd.message_type": [
"syscall"
],
"process.pid": [
2380458
],
"host.mac": [
],
"cloud.availability_zone": [
"europe-west4-a"
],
"process.title.text": [
"dash -p"
],
"auditd.data.exit": [
"0"
],
"service.type": [
"auditd"
],
"auditd.user.audit.id": [
"1005"
],
"host.os.version": [
"20.04.6 LTS (Focal Fossa)"
],
"host.os.name": [
"Ubuntu"
],
"agent.name": [
""
],
"host.name": [
""
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"event.outcome": [
"success"
],
"auditd.data.tty": [
"pts0"
],
"file.path.text": [
"/usr/bin/dash"
],
"event.original": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"cloud.region": [
"europe-west4"
],
"user.id": [
"1005"
],
"host.os.type": [
"linux"
],
"auditd.user.selinux.user": [
"unconfined"
],
"auditd.data.a2": [
"55d85d720450"
],
"auditd.data.a3": [
"8"
],
"auditd.messages": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"data_stream.type": [
"logs"
],
"auditd.result": [
"success"
],
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"dash"
],
"cloud.machine.type": [
"e2-standard-4"
],
"cloud.provider": [
"gcp"
],
"cloud.service.name": [
"GCE"
],
"agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"auditd.data.a0": [
"55d85d60bc10"
],
"file.device": [
"00:00"
],
"auditd.summary.object.primary": [
"/usr/bin/dash"
],
"auditd.data.a1": [
"55d85d70a000"
],
"ecs.version": [
"8.8.0"
],
"host.containerized": [
false
],
"auditd.summary.actor.primary": [
"1005"
],
"agent.version": [
"8.8.0"
],
"user.group.id": [
"1006"
],
"process.title": [
"dash -p"
],
"host.os.family": [
"debian"
],
"auditd.data.arch": [
"x86_64"
],
"file.gid": [
"0"
],
"auditd.user.saved.group.id": [
"1006"
],
"file.uid": [
"0"
],
"auditd.user.filesystem.id": [
"1005"
],
"auditd.paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"mode": "0100755",
"cap_fver": "0",
"inode": "1593",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"cloud.instance.id": [
""
],
"event.sequence": [
28864261
],
"host.ip": [
"10.164.0.7",
"fe80::4001:aff:fea4:7",
"172.17.0.1",
"172.18.0.1"
],
"agent.type": [
"auditbeat"
],
"process.executable.text": [
"/usr/bin/dash"
],
"auditd.summary.how": [
"/usr/bin/dash"
],
"event.module": [
"auditd"
],
"host.os.kernel": [
"5.15.0-1034-gcp"
],
"file.inode": [
"1593"
],
"elastic_agent.snapshot": [
false
],
"auditd.data.argc": [
2
],
"host.id": [
"212700a348f6f2c886f0f22bfcd692fa"
],
"process.executable": [
"/usr/bin/dash"
],
"auditd.summary.object.type": [
"file"
],
"elastic_agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"dash",
"-p"
],
"auditd.data.syscall": [
"execve"
],
"auditd.summary.actor.secondary": [
"1005"
],
"event.action": [
"executed"
],
"event.ingested": [
"2023-06-13T14:30:34.000Z"
],
"@timestamp": [
"2023-06-13T14:30:33.304Z"
],
"host.os.platform": [
"ubuntu"
],
"cloud.account.id": [
""
],
"event.type": [
"start"
],
"auditd.user.filesystem.group.id": [
"1006"
],
"data_stream.dataset": [
"auditd_manager.auditd"
],
"auditd.session": [
"1456"
],
"agent.ephemeral_id": [
"40451141-402f-436a-bb40-fae58389a104"
],
"event.dataset": [
"auditd_manager.auditd"
],
"cloud.instance.name": [
""
],
"cloud.project.id": [
""
]
}
}And here is the document when running dash -p with suid enabled, you can also see that suid is set to 0, aka root, with a mode of 6755 (in the original message)
{
"_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001",
"_id": "iycptYgB1fhN-eteIsWZ",
"_version": 1,
"_score": 0,
"_source": {
"process": {
"args": [
"dash",
"-p"
],
"parent": {
"pid": 2380071
},
"name": "dash",
"pid": 2380168,
"title": "dash -p",
"executable": "/usr/bin/dash"
},
"agent": {
"name": "",
"id": "",
"ephemeral_id": "",
"type": "auditbeat",
"version": "8.8.0"
},
"elastic_agent": {
"id": "b3cfb28b-925f-460e-b025-9bee61092a5e",
"version": "8.8.0",
"snapshot": false
},
"auditd": {
"summary": {
"actor": {
"secondary": "1005",
"primary": "1005"
},
"how": "/usr/bin/dash",
"object": {
"type": "file",
"primary": "/usr/bin/dash"
}
},
"result": "success",
"data": {
"argc": 2,
"a1": "55d85d69c970",
"a2": "55d85d720450",
"syscall": "execve",
"exit": "0",
"a3": "8",
"tty": "pts0",
"arch": "x86_64",
"a0": "55d85d6719d0"
},
"session": "1456",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"inode": "1593",
"mode": "0106755",
"cap_fver": "0",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"messages": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"message_type": "syscall",
"user": {
"saved": {
"id": "0",
"group": {
"id": "0"
}
},
"audit": {
"id": "1005"
},
"selinux": {
"user": "unconfined"
},
"filesystem": {
"id": "0",
"group": {
"id": "0"
}
}
}
},
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"cloud": {
"availability_zone": "europe-west4-a",
"instance": {
"name": "",
"id": ""
},
"provider": "gcp",
"service": {
"name": "GCE"
},
"machine": {
"type": "e2-standard-4"
},
"project": {
"id": "elastic-security-research"
},
"region": "europe-west4",
"account": {
"id": ""
}
},
"@timestamp": "2023-06-13T14:29:11.525Z",
"file": {
"inode": "1593",
"mode": "0755",
"uid": "0",
"path": "/usr/bin/dash",
"gid": "0",
"device": "00:00"
},
"ecs": {
"version": "8.8.0"
},
"service": {
"type": "auditd"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "auditd_manager.auditd"
},
"host": {
"hostname": "",
"os": {
"kernel": "5.15.0-1034-gcp",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
},
"event": {
"agent_id_status": "verified",
"sequence": 28860764,
"ingested": "2023-06-13T14:29:11Z",
"original": "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70",
"kind": "event",
"module": "auditd",
"action": "executed",
"type": [
"start"
],
"category": [
"process"
],
"dataset": "auditd_manager.auditd",
"outcome": "success"
},
"user": {
"effective": {
"id": "0",
"group": {
"id": "0"
}
},
"id": "1005",
"group": {
"id": "1006"
}
}
},
"fields": {
"file.mode": [
"0755"
],
"file.path": [
"/usr/bin/dash"
],
"elastic_agent.version": [
"8.8.0"
],
"event.category": [
"process"
],
"process.name.text": [
"dash"
],
"auditd.user.saved.id": [
"0"
],
"process.parent.pid": [
2380071
],
"auditd.message_type": [
"syscall"
]
"process.pid": [
2380168
],
"host.mac": [
"02-42-19-91-5B-16",
"02-42-65-CE-47-9F",
"42-01-0A-A4-00-07"
],
"cloud.availability_zone": [
"europe-west4-a"
],
"process.title.text": [
"dash -p"
],
"auditd.data.exit": [
"0"
],
"service.type": [
"auditd"
],
"auditd.user.audit.id": [
"1005"
],
"host.os.version": [
"20.04.6 LTS (Focal Fossa)"
],
"host.os.name": [
"Ubuntu"
]
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"event.outcome": [
"success"
],
"auditd.data.tty": [
"pts0"
],
"file.path.text": [
"/usr/bin/dash"
],
"event.original": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"cloud.region": [
"europe-west4"
],
"user.id": [
"1005"
],
"host.os.type": [
"linux"
],
"auditd.user.selinux.user": [
"unconfined"
],
"auditd.data.a2": [
"55d85d720450"
],
"auditd.data.a3": [
"8"
],
"auditd.messages": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"data_stream.type": [
"logs"
],
"auditd.result": [
"success"
],
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"dash"
],
"cloud.machine.type": [
"e2-standard-4"
],
"cloud.provider": [
"gcp"
],
"cloud.service.name": [
"GCE"
],
"agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"auditd.data.a0": [
"55d85d6719d0"
],
"file.device": [
"00:00"
],
"auditd.summary.object.primary": [
"/usr/bin/dash"
],
"auditd.data.a1": [
"55d85d69c970"
],
"ecs.version": [
"8.8.0"
],
"host.containerized": [
false
],
"auditd.summary.actor.primary": [
"1005"
],
"agent.version": [
"8.8.0"
],
"user.group.id": [
"1006"
],
"process.title": [
"dash -p"
],
"host.os.family": [
"debian"
],
"user.effective.group.id": [
"0"
],
"auditd.data.arch": [
"x86_64"
],
"file.gid": [
"0"
],
"user.effective.id": [
"0"
],
"auditd.user.saved.group.id": [
"0"
],
"file.uid": [
"0"
],
"auditd.user.filesystem.id": [
"0"
],
"auditd.paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"inode": "1593",
"mode": "0106755",
"cap_fver": "0",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"cloud.instance.id": [
"5819226346140730406"
],
"event.sequence": [
28860764
],
"agent.type": [
"auditbeat"
],
"process.executable.text": [
"/usr/bin/dash"
],
"auditd.summary.how": [
"/usr/bin/dash"
],
"event.module": [
"auditd"
],
"host.os.kernel": [
"5.15.0-1034-gcp"
],
"file.inode": [
"1593"
],
"elastic_agent.snapshot": [
false
],
"auditd.data.argc": [
2
],
"host.id": [
"212700a348f6f2c886f0f22bfcd692fa"
],
"process.executable": [
"/usr/bin/dash"
],
"auditd.summary.object.type": [
"file"
],
"elastic_agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"dash",
"-p"
],
"auditd.data.syscall": [
"execve"
],
"auditd.summary.actor.secondary": [
"1005"
],
"event.action": [
"executed"
],
"event.ingested": [
"2023-06-13T14:29:11.000Z"
],
"@timestamp": [
"2023-06-13T14:29:11.525Z"
],
"host.os.platform": [
"ubuntu"
],
"cloud.account.id": [
"elastic-security-research"
],
"event.type": [
"start"
],
"auditd.user.filesystem.group.id": [
"0"
]
}
}It does seem to capture it correctly in both the original message and the auditd.paths. It would also be an option to add the suid, fsuid, sgid and fsgid fields.
Aegrah
commented
1 year ago Hello, I was wondering - are there any updates on this issue?
andrewkroh
commented
1 year ago The cause is that the value is being ORed with 0o777 at the moment. source: https://github.com/elastic/go-libaudit/blob/fe4ae5f20f37e4457fcf8939c7d0c0d40b0da871/aucoalesce/coalesce.go#L726
Aegrah
commented
1 year ago Hey @andrewkroh thanks for the quick response. Good find! Can I just leave this issue here I should I move this over to Beats to get it fixed?
andrewkroh
commented
1 year ago Would you mind opening a bug issue in go-libaudit?
One question I have is what does the 0100000 bit represent in 0102770. I didn't dig too deep. I am just wondering if that value should be passed through as is or should we represent the value was file.mode: 2770 (e.g. & 7777). I would prefer the values be uniform looking across data sources (like the file.mode example) to make searching and comparison simpler (like searching for any files with suid or sgid).
Aegrah
commented
1 year ago @andrewkroh I was wondering the same, and I agree that it would make more sense to just display the file.mode there. I opened the bug issue at go-libaudit, and referred to this issue. Thanks!
Aegrah
commented
3 months ago Closing this one out, because it is referenced in go-libaudit, and is no longer necessary for me.
Issue
I am working on a detection rule to detect the execution of SUID binaries, for which I wanted to use the
auditd_managerfile.modefield. I have one document with a SUID bit set, showing the followingauditd.paths:The document above with a mode of
2770displays a mode of0770in thefile.modefield, which would indicate a non SUID binary.And I have another document that does not have a SUID bit set, showing the following auditd.paths :
This document with a mode of
0755displays a mode of0755in thefile.modefield, which would also indicate a non SUID binary.The actual auditd.paths flattend object does have the correct value in there, so I think it should be possible have the
file.modefield display the correct file mode.