Closed Aegrah closed 3 months ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
AFAICS the integration is not altering this field and it's coming from auditbeat. It in turn is getting the value from github.com/elastic/go-libaudit here. This should probably be moved to beats.
@Aegrah If you can enable the preserve_original_event
option in the integration settings this will include the original messages that were received from the Linux kernel. That might help make is more clear where the problem is.
@andrewkroh I added the preserve_original_event option. Interesting.. So here's me running the command "dash -p" using a non-suid binary, which is also indicated by the suid=1005 within the original message:
{
"_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001",
"_id": "ZycqtYgB1fhN-eteZO5K",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "",
"id": "",
"ephemeral_id": "",
"type": "auditbeat",
"version": "8.8.0"
},
"process": {
"args": [
"dash",
"-p"
],
"parent": {
"pid": 2380071
},
"name": "dash",
"pid": 2380458,
"title": "dash -p",
"executable": "/usr/bin/dash"
},
"elastic_agent": {
"id": "b3cfb28b-925f-460e-b025-9bee61092a5e",
"version": "8.8.0",
"snapshot": false
},
"auditd": {
"result": "success",
"summary": {
"actor": {
"secondary": "1005",
"primary": "1005"
},
"how": "/usr/bin/dash",
"object": {
"type": "file",
"primary": "/usr/bin/dash"
}
},
"data": {
"argc": 2,
"a1": "55d85d70a000",
"syscall": "execve",
"a2": "55d85d720450",
"exit": "0",
"a3": "8",
"tty": "pts0",
"arch": "x86_64",
"a0": "55d85d60bc10"
},
"session": "1456",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"mode": "0100755",
"cap_fver": "0",
"inode": "1593",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"messages": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"message_type": "syscall",
"user": {
"saved": {
"id": "1005",
"group": {
"id": "1006"
}
},
"audit": {
"id": "1005"
},
"selinux": {
"user": "unconfined"
},
"filesystem": {
"id": "1005",
"group": {
"id": "1006"
}
}
}
},
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"cloud": {
"availability_zone": "europe-west4-a",
"instance": {
"name": "",
"id": ""
},
"provider": "gcp",
"machine": {
"type": "e2-standard-4"
},
"service": {
"name": "GCE"
},
"project": {
"id": ""
},
"region": "europe-west4",
"account": {
"id": ""
}
},
"@timestamp": "2023-06-13T14:30:33.304Z",
"file": {
"inode": "1593",
"mode": "0755",
"uid": "0",
"path": "/usr/bin/dash",
"gid": "0",
"device": "00:00"
},
"ecs": {
"version": "8.8.0"
},
"service": {
"type": "auditd"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "auditd_manager.auditd"
},
"host": {
"hostname": "",
"os": {
"kernel": "5.15.0-1034-gcp",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
],
"name": "",
"id": "",
"mac": [
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"sequence": 28864261,
"ingested": "2023-06-13T14:30:34Z",
"original": "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70",
"kind": "event",
"module": "auditd",
"action": "executed",
"type": [
"start"
],
"category": [
"process"
],
"dataset": "auditd_manager.auditd",
"outcome": "success"
},
"user": {
"id": "1005",
"group": {
"id": "1006"
}
}
},
"fields": {
"file.mode": [
"0755"
],
"file.path": [
"/usr/bin/dash"
],
"elastic_agent.version": [
"8.8.0"
],
"event.category": [
"process"
],
"process.name.text": [
"dash"
],
"auditd.user.saved.id": [
"1005"
],
"process.parent.pid": [
2380071
],
"host.hostname": [
""
],
"auditd.message_type": [
"syscall"
],
"process.pid": [
2380458
],
"host.mac": [
],
"cloud.availability_zone": [
"europe-west4-a"
],
"process.title.text": [
"dash -p"
],
"auditd.data.exit": [
"0"
],
"service.type": [
"auditd"
],
"auditd.user.audit.id": [
"1005"
],
"host.os.version": [
"20.04.6 LTS (Focal Fossa)"
],
"host.os.name": [
"Ubuntu"
],
"agent.name": [
""
],
"host.name": [
""
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"event.outcome": [
"success"
],
"auditd.data.tty": [
"pts0"
],
"file.path.text": [
"/usr/bin/dash"
],
"event.original": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"cloud.region": [
"europe-west4"
],
"user.id": [
"1005"
],
"host.os.type": [
"linux"
],
"auditd.user.selinux.user": [
"unconfined"
],
"auditd.data.a2": [
"55d85d720450"
],
"auditd.data.a3": [
"8"
],
"auditd.messages": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"data_stream.type": [
"logs"
],
"auditd.result": [
"success"
],
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"dash"
],
"cloud.machine.type": [
"e2-standard-4"
],
"cloud.provider": [
"gcp"
],
"cloud.service.name": [
"GCE"
],
"agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"auditd.data.a0": [
"55d85d60bc10"
],
"file.device": [
"00:00"
],
"auditd.summary.object.primary": [
"/usr/bin/dash"
],
"auditd.data.a1": [
"55d85d70a000"
],
"ecs.version": [
"8.8.0"
],
"host.containerized": [
false
],
"auditd.summary.actor.primary": [
"1005"
],
"agent.version": [
"8.8.0"
],
"user.group.id": [
"1006"
],
"process.title": [
"dash -p"
],
"host.os.family": [
"debian"
],
"auditd.data.arch": [
"x86_64"
],
"file.gid": [
"0"
],
"auditd.user.saved.group.id": [
"1006"
],
"file.uid": [
"0"
],
"auditd.user.filesystem.id": [
"1005"
],
"auditd.paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"mode": "0100755",
"cap_fver": "0",
"inode": "1593",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"cloud.instance.id": [
""
],
"event.sequence": [
28864261
],
"host.ip": [
"10.164.0.7",
"fe80::4001:aff:fea4:7",
"172.17.0.1",
"172.18.0.1"
],
"agent.type": [
"auditbeat"
],
"process.executable.text": [
"/usr/bin/dash"
],
"auditd.summary.how": [
"/usr/bin/dash"
],
"event.module": [
"auditd"
],
"host.os.kernel": [
"5.15.0-1034-gcp"
],
"file.inode": [
"1593"
],
"elastic_agent.snapshot": [
false
],
"auditd.data.argc": [
2
],
"host.id": [
"212700a348f6f2c886f0f22bfcd692fa"
],
"process.executable": [
"/usr/bin/dash"
],
"auditd.summary.object.type": [
"file"
],
"elastic_agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"dash",
"-p"
],
"auditd.data.syscall": [
"execve"
],
"auditd.summary.actor.secondary": [
"1005"
],
"event.action": [
"executed"
],
"event.ingested": [
"2023-06-13T14:30:34.000Z"
],
"@timestamp": [
"2023-06-13T14:30:33.304Z"
],
"host.os.platform": [
"ubuntu"
],
"cloud.account.id": [
""
],
"event.type": [
"start"
],
"auditd.user.filesystem.group.id": [
"1006"
],
"data_stream.dataset": [
"auditd_manager.auditd"
],
"auditd.session": [
"1456"
],
"agent.ephemeral_id": [
"40451141-402f-436a-bb40-fae58389a104"
],
"event.dataset": [
"auditd_manager.auditd"
],
"cloud.instance.name": [
""
],
"cloud.project.id": [
""
]
}
}
And here is the document when running dash -p with suid enabled, you can also see that suid is set to 0, aka root, with a mode of 6755 (in the original message)
{
"_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001",
"_id": "iycptYgB1fhN-eteIsWZ",
"_version": 1,
"_score": 0,
"_source": {
"process": {
"args": [
"dash",
"-p"
],
"parent": {
"pid": 2380071
},
"name": "dash",
"pid": 2380168,
"title": "dash -p",
"executable": "/usr/bin/dash"
},
"agent": {
"name": "",
"id": "",
"ephemeral_id": "",
"type": "auditbeat",
"version": "8.8.0"
},
"elastic_agent": {
"id": "b3cfb28b-925f-460e-b025-9bee61092a5e",
"version": "8.8.0",
"snapshot": false
},
"auditd": {
"summary": {
"actor": {
"secondary": "1005",
"primary": "1005"
},
"how": "/usr/bin/dash",
"object": {
"type": "file",
"primary": "/usr/bin/dash"
}
},
"result": "success",
"data": {
"argc": 2,
"a1": "55d85d69c970",
"a2": "55d85d720450",
"syscall": "execve",
"exit": "0",
"a3": "8",
"tty": "pts0",
"arch": "x86_64",
"a0": "55d85d6719d0"
},
"session": "1456",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"inode": "1593",
"mode": "0106755",
"cap_fver": "0",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"messages": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"message_type": "syscall",
"user": {
"saved": {
"id": "0",
"group": {
"id": "0"
}
},
"audit": {
"id": "1005"
},
"selinux": {
"user": "unconfined"
},
"filesystem": {
"id": "0",
"group": {
"id": "0"
}
}
}
},
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"cloud": {
"availability_zone": "europe-west4-a",
"instance": {
"name": "",
"id": ""
},
"provider": "gcp",
"service": {
"name": "GCE"
},
"machine": {
"type": "e2-standard-4"
},
"project": {
"id": "elastic-security-research"
},
"region": "europe-west4",
"account": {
"id": ""
}
},
"@timestamp": "2023-06-13T14:29:11.525Z",
"file": {
"inode": "1593",
"mode": "0755",
"uid": "0",
"path": "/usr/bin/dash",
"gid": "0",
"device": "00:00"
},
"ecs": {
"version": "8.8.0"
},
"service": {
"type": "auditd"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "auditd_manager.auditd"
},
"host": {
"hostname": "",
"os": {
"kernel": "5.15.0-1034-gcp",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
},
"event": {
"agent_id_status": "verified",
"sequence": 28860764,
"ingested": "2023-06-13T14:29:11Z",
"original": "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70",
"kind": "event",
"module": "auditd",
"action": "executed",
"type": [
"start"
],
"category": [
"process"
],
"dataset": "auditd_manager.auditd",
"outcome": "success"
},
"user": {
"effective": {
"id": "0",
"group": {
"id": "0"
}
},
"id": "1005",
"group": {
"id": "1006"
}
}
},
"fields": {
"file.mode": [
"0755"
],
"file.path": [
"/usr/bin/dash"
],
"elastic_agent.version": [
"8.8.0"
],
"event.category": [
"process"
],
"process.name.text": [
"dash"
],
"auditd.user.saved.id": [
"0"
],
"process.parent.pid": [
2380071
],
"auditd.message_type": [
"syscall"
]
"process.pid": [
2380168
],
"host.mac": [
"02-42-19-91-5B-16",
"02-42-65-CE-47-9F",
"42-01-0A-A4-00-07"
],
"cloud.availability_zone": [
"europe-west4-a"
],
"process.title.text": [
"dash -p"
],
"auditd.data.exit": [
"0"
],
"service.type": [
"auditd"
],
"auditd.user.audit.id": [
"1005"
],
"host.os.version": [
"20.04.6 LTS (Focal Fossa)"
],
"host.os.name": [
"Ubuntu"
]
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"event.outcome": [
"success"
],
"auditd.data.tty": [
"pts0"
],
"file.path.text": [
"/usr/bin/dash"
],
"event.original": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"cloud.region": [
"europe-west4"
],
"user.id": [
"1005"
],
"host.os.type": [
"linux"
],
"auditd.user.selinux.user": [
"unconfined"
],
"auditd.data.a2": [
"55d85d720450"
],
"auditd.data.a3": [
"8"
],
"auditd.messages": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"data_stream.type": [
"logs"
],
"auditd.result": [
"success"
],
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"dash"
],
"cloud.machine.type": [
"e2-standard-4"
],
"cloud.provider": [
"gcp"
],
"cloud.service.name": [
"GCE"
],
"agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"auditd.data.a0": [
"55d85d6719d0"
],
"file.device": [
"00:00"
],
"auditd.summary.object.primary": [
"/usr/bin/dash"
],
"auditd.data.a1": [
"55d85d69c970"
],
"ecs.version": [
"8.8.0"
],
"host.containerized": [
false
],
"auditd.summary.actor.primary": [
"1005"
],
"agent.version": [
"8.8.0"
],
"user.group.id": [
"1006"
],
"process.title": [
"dash -p"
],
"host.os.family": [
"debian"
],
"user.effective.group.id": [
"0"
],
"auditd.data.arch": [
"x86_64"
],
"file.gid": [
"0"
],
"user.effective.id": [
"0"
],
"auditd.user.saved.group.id": [
"0"
],
"file.uid": [
"0"
],
"auditd.user.filesystem.id": [
"0"
],
"auditd.paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"inode": "1593",
"mode": "0106755",
"cap_fver": "0",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"cloud.instance.id": [
"5819226346140730406"
],
"event.sequence": [
28860764
],
"agent.type": [
"auditbeat"
],
"process.executable.text": [
"/usr/bin/dash"
],
"auditd.summary.how": [
"/usr/bin/dash"
],
"event.module": [
"auditd"
],
"host.os.kernel": [
"5.15.0-1034-gcp"
],
"file.inode": [
"1593"
],
"elastic_agent.snapshot": [
false
],
"auditd.data.argc": [
2
],
"host.id": [
"212700a348f6f2c886f0f22bfcd692fa"
],
"process.executable": [
"/usr/bin/dash"
],
"auditd.summary.object.type": [
"file"
],
"elastic_agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"dash",
"-p"
],
"auditd.data.syscall": [
"execve"
],
"auditd.summary.actor.secondary": [
"1005"
],
"event.action": [
"executed"
],
"event.ingested": [
"2023-06-13T14:29:11.000Z"
],
"@timestamp": [
"2023-06-13T14:29:11.525Z"
],
"host.os.platform": [
"ubuntu"
],
"cloud.account.id": [
"elastic-security-research"
],
"event.type": [
"start"
],
"auditd.user.filesystem.group.id": [
"0"
]
}
}
It does seem to capture it correctly in both the original message and the auditd.paths. It would also be an option to add the suid
, fsuid
, sgid
and fsgid
fields.
Hello, I was wondering - are there any updates on this issue?
The cause is that the value is being ORed with 0o777 at the moment. source: https://github.com/elastic/go-libaudit/blob/fe4ae5f20f37e4457fcf8939c7d0c0d40b0da871/aucoalesce/coalesce.go#L726
Hey @andrewkroh thanks for the quick response. Good find! Can I just leave this issue here I should I move this over to Beats to get it fixed?
Would you mind opening a bug issue in go-libaudit?
One question I have is what does the 0100000
bit represent in 0102770
. I didn't dig too deep. I am just wondering if that value should be passed through as is or should we represent the value was file.mode: 2770
(e.g. & 7777
). I would prefer the values be uniform looking across data sources (like the file.mode example) to make searching and comparison simpler (like searching for any files with suid or sgid).
@andrewkroh I was wondering the same, and I agree that it would make more sense to just display the file.mode there. I opened the bug issue at go-libaudit, and referred to this issue. Thanks!
Closing this one out, because it is referenced in go-libaudit, and is no longer necessary for me.
Issue
I am working on a detection rule to detect the execution of SUID binaries, for which I wanted to use the
auditd_manager
file.mode
field. I have one document with a SUID bit set, showing the followingauditd.paths
:The document above with a mode of
2770
displays a mode of0770
in thefile.mode
field, which would indicate a non SUID binary.And I have another document that does not have a SUID bit set, showing the following auditd.paths :
This document with a mode of
0755
displays a mode of0755
in thefile.mode
field, which would also indicate a non SUID binary.The actual auditd.paths flattend object does have the correct value in there, so I think it should be possible have the
file.mode
field display the correct file mode.