Ever had this working on Centos 7

[TheSeraph]

I've tried to get this operational on Centos 7 but I'm having issues. Everything seems to be working but nothing pops up in /var/log/audisp-simplify. What could I be missing?

[mtkirby]

Oops. Looks like I have a typo in that version. The log print line had a $$ instead of a $, which is a remnant of an older version. I fixed the typo and also wrote an install.sh script and uploaded it to Github. Please try the new version and let me know if anything doesn't work. Let me know if you have SELinux enabled. It has been known to cause problems, but the documented workaround should work.

If you experience any problems with the software, please do not hesitate to ask me for assistance. Thank you.

On Fri, Oct 7, 2016 at 3:47 AM, TheSeraph notifications@github.com wrote:

I've tried to get this operational on Centos 7 but I'm having issues. Everything seems to be working but nothing pops up in /var/log/audisp-simplify. What could I be missing?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlLvBP32J793kzTtmNIEKH7LAZlpcks5qxgchgaJpZM4KQzao .

[TheSeraph]

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 https://github.com/mtkirby/audisp-simplify/issues/1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#event-817145331, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9cx-MF8NS9fagq-PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

[TheSeraph]

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 https://github.com/mtkirby/audisp-simplify/issues/1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#event-817145331, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9cx-MF8NS9fagq-PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

[mtkirby]

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit.rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph notifications@github.com wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 https://github.com/mtkirby/audisp-simplify/issues/1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#event-817145331, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao .

[TheSeraph]

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit.rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph notifications@github.com wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 https://github.com/mtkirby/audisp-simplify/issues/1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1#event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

[mtkirby]

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph notifications@github.com wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit.rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph notifications@github.com wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 https://github.com/mtkirby/audisp-simplify/issues/1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao .

[TheSeraph]

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph notifications@github.com wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit.rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph notifications@github.com wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 https://github.com/mtkirby/audisp-simplify/issues/1.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

[mtkirby]

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph notifications@github.com wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph notifications@github.com wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit.rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph notifications@github.com wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 <https://github.com/mtkirby/audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

[TheSeraph]

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" notifications@github.com:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph notifications@github.com wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph notifications@github.com wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham troy@arkferos.com:

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby notifications@github.com:

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9di9iQbQOCBMj8K_JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

[mtkirby]

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph notifications@github.com wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" notifications@github.com:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph notifications@github.com wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph <notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham <troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby <notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao .

[TheSeraph]

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph notifications@github.com wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" notifications@github.com:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph notifications@github.com wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGgV95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

[mtkirby]

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph notifications@github.com wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph notifications@github.com wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" notifications@github.com:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph <notifications@github.com

wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby notifications@github.com:

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9ZvGgV95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

[mtkirby]

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph notifications@github.com wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph notifications@github.com wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" notifications@github.com:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby <notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

[TheSeraph]

So i've been playing around with this, and maybe it's because I'm too much of a n00b at audit rules, but while the improvments are good, necessitating a key for a rule means that some normal stuff captured by audit logs are unaccessible in the simplify log. For example, I had a whole host of rules trying to capture some login events, but the reality is it would capture metadata around it. What I really wanted was to capture the actual audit event type=USER_LOGIN. Unfortunately (and again, maybe this is because I'm dumb) I can't seem to find a way to create an audit rule that applies a key to a type of event. So invariably all the logs i get are type=CONFIG_CHANGE, EOE or EXECVE

Thoughts?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2017-01-31 5:02 GMT+00:00 mtkirby notifications@github.com:

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I

only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph notifications@github.com wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph notifications@github.com wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" notifications@github.com:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby < notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/ audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-276275775, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9SmA_pjrnJY8lUee3GkCI5_Sj3pYks5rXsBrgaJpZM4KQzao .

[mtkirby]

Okay, that makes sense. I've rewritten it to log everything that is passed from auditd. I've removed the following fields: addr,comm,hostname,result,success,type. These are redundant or not informative. I've added the following fields: euid,euid_user,op,seresult,oldcontext,newcontext,types,unit,subj. The "types" field contains a comma delimited list of "type" that was discovered. The script now requires the Perl Errno module, which should be installed by default. You can check by running 'perl -c /bin/audisp-simplify' Let me know how it goes.

Thanks.

On Wed, Feb 1, 2017 at 9:38 AM, TheSeraph notifications@github.com wrote:

So i've been playing around with this, and maybe it's because I'm too much of a n00b at audit rules, but while the improvments are good, necessitating a key for a rule means that some normal stuff captured by audit logs are unaccessible in the simplify log. For example, I had a whole host of rules trying to capture some login events, but the reality is it would capture metadata around it. What I really wanted was to capture the actual audit event type=USER_LOGIN. Unfortunately (and again, maybe this is because I'm dumb) I can't seem to find a way to create an audit rule that applies a key to a type of event. So invariably all the logs i get are type=CONFIG_CHANGE, EOE or EXECVE

Thoughts?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-31 5:02 GMT+00:00 mtkirby notifications@github.com:

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I

only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph notifications@github.com wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph < notifications@github.com> wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" <notifications@github.com :

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby notifications@github.com:

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/ profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby < notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/ audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276275775, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9SmA_ pjrnJY8lUee3GkCI5_Sj3pYks5rXsBrgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-276690143, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlIUZxq-g81jne-u22sEKt8iGuGxgks5rYKbfgaJpZM4KQzao .

[mtkirby]

FYI, I re-added hostname and addr. I also changed the logging to skip values that are blank or "?".

On Wed, Feb 1, 2017 at 9:15 PM, M Kirby m.thomas.kirby@gmail.com wrote:

Okay, that makes sense. I've rewritten it to log everything that is passed from auditd. I've removed the following fields: addr,comm,hostname,result,success,type. These are redundant or not informative. I've added the following fields: euid,euid_user,op,seresult, oldcontext,newcontext,types,unit,subj. The "types" field contains a comma delimited list of "type" that was discovered. The script now requires the Perl Errno module, which should be installed by default. You can check by running 'perl -c /bin/audisp-simplify' Let me know how it goes.

Thanks.

On Wed, Feb 1, 2017 at 9:38 AM, TheSeraph notifications@github.com wrote:

So i've been playing around with this, and maybe it's because I'm too much of a n00b at audit rules, but while the improvments are good, necessitating a key for a rule means that some normal stuff captured by audit logs are unaccessible in the simplify log. For example, I had a whole host of rules trying to capture some login events, but the reality is it would capture metadata around it. What I really wanted was to capture the actual audit event type=USER_LOGIN. Unfortunately (and again, maybe this is because I'm dumb) I can't seem to find a way to create an audit rule that applies a key to a type of event. So invariably all the logs i get are type=CONFIG_CHANGE, EOE or EXECVE

Thoughts?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-31 5:02 GMT+00:00 mtkirby notifications@github.com:

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I

only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph notifications@github.com wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph < notifications@github.com> wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" < notifications@github.com>:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby <notifications@github.com :

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/p rofile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby < notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/b adges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/ audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/au disp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-276275775, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9SmA_ pjrnJY8lUee3GkCI5_Sj3pYks5rXsBrgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-276690143, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlIUZxq-g81jne-u22sEKt8iGuGxgks5rYKbfgaJpZM4KQzao .

[TheSeraph]

Great. I've been working with it, seeing what I can generate. Unfortunately, i can't make my elk dashboard public, but I can give you what I have for audit.rules and the logstash conf from my fork of your work (https://github.com/TheSeraph/audisp-simplify). If it's not already evident, I think what you're doing is AWESOME. And I appreciate that you've directly improved things on my behalf! Anyways, the logstash file is pretty simple, simply k=v and a bit of mutates, but I think even that's solved in your later versions. If you see my audit.rules, you'll see what I was trying to get originally, although that might have worked better for standard audit log, or with your earliest version. Frankly, having a command log does get most of everything, and having all types registered helps too. I did noticed that I do need some sort of key or rule in the audit.rules or nothing appears in audisp-simplify.

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2017-02-05 20:14 GMT+00:00 mtkirby notifications@github.com:

FYI, I re-added hostname and addr. I also changed the logging to skip values that are blank or "?".

On Wed, Feb 1, 2017 at 9:15 PM, M Kirby m.thomas.kirby@gmail.com wrote:

Okay, that makes sense. I've rewritten it to log everything that is passed from auditd. I've removed the following fields: addr,comm,hostname,result, success,type. These are redundant or not informative. I've added the following fields: euid,euid_user,op,seresult, oldcontext,newcontext,types,unit,subj. The "types" field contains a comma delimited list of "type" that was discovered. The script now requires the Perl Errno module, which should be installed by default. You can check by running 'perl -c /bin/audisp-simplify' Let me know how it goes.

Thanks.

On Wed, Feb 1, 2017 at 9:38 AM, TheSeraph notifications@github.com wrote:

So i've been playing around with this, and maybe it's because I'm too much of a n00b at audit rules, but while the improvments are good, necessitating a key for a rule means that some normal stuff captured by audit logs are unaccessible in the simplify log. For example, I had a whole host of rules trying to capture some login events, but the reality is it would capture metadata around it. What I really wanted was to capture the actual audit event type=USER_LOGIN. Unfortunately (and again, maybe this is because I'm dumb) I can't seem to find a way to create an audit rule that applies a key to a type of event. So invariably all the logs i get are type=CONFIG_CHANGE, EOE or EXECVE

Thoughts?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-31 5:02 GMT+00:00 mtkirby notifications@github.com:

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I

only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph < notifications@github.com> wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph < notifications@github.com> wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" < notifications@github.com>:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby < notifications@github.com :

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/p rofile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby < notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/b adges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/ audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/au disp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe- auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1 xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/ audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-276275775, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9SmA_ pjrnJY8lUee3GkCI5_Sj3pYks5rXsBrgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276690143, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlIUZxq-g81jne- u22sEKt8iGuGxgks5rYKbfgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-277545663, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9T4AnEXclTGn9C0d2FUe_K23PMjHks5rZi2RgaJpZM4KQzao .

[TheSeraph]

Can do this though for ELK:

[image: Innebygd bilde 1]

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2017-02-06 9:55 GMT+00:00 Troy Cunningham troy@arkferos.com:

Great. I've been working with it, seeing what I can generate. Unfortunately, i can't make my elk dashboard public, but I can give you what I have for audit.rules and the logstash conf from my fork of your work (https://github.com/TheSeraph/audisp-simplify). If it's not already evident, I think what you're doing is AWESOME. And I appreciate that you've directly improved things on my behalf! Anyways, the logstash file is pretty simple, simply k=v and a bit of mutates, but I think even that's solved in your later versions. If you see my audit.rules, you'll see what I was trying to get originally, although that might have worked better for standard audit log, or with your earliest version. Frankly, having a command log does get most of everything, and having all types registered helps too. I did noticed that I do need some sort of key or rule in the audit.rules or nothing appears in audisp-simplify.

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d68-b52b-f0a0eb216150

2017-02-05 20:14 GMT+00:00 mtkirby notifications@github.com:

FYI, I re-added hostname and addr. I also changed the logging to skip values that are blank or "?".

On Wed, Feb 1, 2017 at 9:15 PM, M Kirby m.thomas.kirby@gmail.com wrote:

Okay, that makes sense. I've rewritten it to log everything that is passed from auditd. I've removed the following fields: addr,comm,hostname,result,succ ess,type. These are redundant or not informative. I've added the following fields: euid,euid_user,op,seresult, oldcontext,newcontext,types,unit,subj. The "types" field contains a comma delimited list of "type" that was discovered. The script now requires the Perl Errno module, which should be installed by default. You can check by running 'perl -c /bin/audisp-simplify' Let me know how it goes.

Thanks.

On Wed, Feb 1, 2017 at 9:38 AM, TheSeraph notifications@github.com wrote:

So i've been playing around with this, and maybe it's because I'm too much of a n00b at audit rules, but while the improvments are good, necessitating a key for a rule means that some normal stuff captured by audit logs are unaccessible in the simplify log. For example, I had a whole host of rules trying to capture some login events, but the reality is it would capture metadata around it. What I really wanted was to capture the actual audit event type=USER_LOGIN. Unfortunately (and again, maybe this is because I'm dumb) I can't seem to find a way to create an audit rule that applies a key to a type of event. So invariably all the logs i get are type=CONFIG_CHANGE, EOE or EXECVE

Thoughts?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-31 5:02 GMT+00:00 mtkirby notifications@github.com:

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I

only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph < notifications@github.com> wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph < notifications@github.com> wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" < notifications@github.com>:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED].com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED].co m" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED].co m" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED].co m" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/p rofile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby < notifications@github.com :

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/b adges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/p rofile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby < notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/b adges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/ audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/au disp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notificati ons/unsubscribe-auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1 xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/au disp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJeiSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-276275775, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9SmA_ pjrnJY8lUee3GkCI5_Sj3pYks5rXsBrgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-276690143, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlIUZxq-g81jne-u22sEKt8iGuGxgks5rYKbfgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-277545663, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9T4AnEXclTGn9C0d2FUe_K23PMjHks5rZi2RgaJpZM4KQzao .

[mtkirby]

Looks like some kv were dropped due to a bad timer. This may be why you are not seeing some data. I modified the timer and committed the new code. You should now see the default types such as user_{start,end,acct,auth,logout,login}. I also added some of your audit rules to the suggestions in the doc. I found a collection of interesting rules at https://fedorahosted.org/audit/browser/trunk/rules?order=name

Let me know if everything works now. I appreciate the feedback. Thanks.

On Mon, Feb 6, 2017 at 3:55 AM, TheSeraph notifications@github.com wrote:

Great. I've been working with it, seeing what I can generate. Unfortunately, i can't make my elk dashboard public, but I can give you what I have for audit.rules and the logstash conf from my fork of your work (https://github.com/TheSeraph/audisp-simplify). If it's not already evident, I think what you're doing is AWESOME. And I appreciate that you've directly improved things on my behalf! Anyways, the logstash file is pretty simple, simply k=v and a bit of mutates, but I think even that's solved in your later versions. If you see my audit.rules, you'll see what I was trying to get originally, although that might have worked better for standard audit log, or with your earliest version. Frankly, having a command log does get most of everything, and having all types registered helps too. I did noticed that I do need some sort of key or rule in the audit.rules or nothing appears in audisp-simplify.

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-02-05 20:14 GMT+00:00 mtkirby notifications@github.com:

FYI, I re-added hostname and addr. I also changed the logging to skip values that are blank or "?".

On Wed, Feb 1, 2017 at 9:15 PM, M Kirby m.thomas.kirby@gmail.com wrote:

Okay, that makes sense. I've rewritten it to log everything that is passed from auditd. I've removed the following fields: addr,comm,hostname,result, success,type. These are redundant or not informative. I've added the following fields: euid,euid_user,op,seresult, oldcontext,newcontext,types,unit,subj. The "types" field contains a comma delimited list of "type" that was discovered. The script now requires the Perl Errno module, which should be installed by default. You can check by running 'perl -c /bin/audisp-simplify' Let me know how it goes.

Thanks.

On Wed, Feb 1, 2017 at 9:38 AM, TheSeraph notifications@github.com wrote:

So i've been playing around with this, and maybe it's because I'm too much of a n00b at audit rules, but while the improvments are good, necessitating a key for a rule means that some normal stuff captured by audit logs are unaccessible in the simplify log. For example, I had a whole host of rules trying to capture some login events, but the reality is it would capture metadata around it. What I really wanted was to capture the actual audit event type=USER_LOGIN. Unfortunately (and again, maybe this is because I'm dumb) I can't seem to find a way to create an audit rule that applies a key to a type of event. So invariably all the logs i get are type=CONFIG_CHANGE, EOE or EXECVE

Thoughts?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-31 5:02 GMT+00:00 mtkirby notifications@github.com:

Looks like a flood of errors is a normal thing, so I changed my audit.rules to ignore errors. I added -F exit=0 to all of my rules. You may want to do the same, or at the very least -F exit!=-2

On Mon, Jan 30, 2017 at 6:41 PM, M Kirby m.thomas.kirby@gmail.com wrote:

I made some more modifications today. It now includes error codes and description for non-zero exit codes. This will help identify broken apps as well as verification of suspicious activity. The auditd codes are available at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields but I

only use some of them. Here are the fields that I pick from auditd: node type pid ppid acct addr comm cmd cwd exe exit hostname key name proctitle res result ses success terminal tty vm uid auid And here are the fields that I add: auditid port errcode errdesc date time uid_user auid_user epoch command My script will log only the fields that are discovered in an event, so don't assume that all these will show up in each log. The proctitle is new and may seem redundant for EXECVE, but it's necessary for logging commands for network sockets.

Thanks.

On Mon, Jan 30, 2017 at 1:34 PM, TheSeraph < notifications@github.com> wrote:

Cool. Your changes seem to be working, although I noticed as part of it, the output k=v was changed up, like "res" to "success" and the user fields "auid_user" instead of "orig_user". I'll come back with updated logstash once I've filtered through the new fields!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c-a1aa- 3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/profile/badges/6df6988d-2083-4d 68-b52b-f0a0eb216150

2017-01-30 0:22 GMT+00:00 mtkirby notifications@github.com:

The code sets the umask to 0077 so that files created will be mode 600. Also, the logrotate settings in the instructions have "create 0600 root root". You may want to run 'journalctl -xe' and see if audit logs are showing up in journald. This is an issue I observed on Fedora and may occur in the next version of RHEL. You can disable it with 'systemctl mask systemd-journald-audit.socket'

I would love to see your Logstash configuration. I am running Splunk and it's auto field detection works perfectly, but I'd like to expand to other log systems.

Thanks.

On Sun, Jan 29, 2017 at 5:59 PM, TheSeraph < notifications@github.com> wrote:

I'll definitely try it out tomorrow. Also not sure if this is on all systems (I'm usually on Selinux systems) but is there a part of the code or logrotate that sets the permissions from /var/log/audisp-simplify?

Lastly one of the reasons I'm interested and feeding back into your work is that I'm trying to do an open source log correlation thing with it and an ELK stack. I've got a working logstash config if that interests you.

29. jan. 2017 6.49 p.m. skrev "mtkirby" < notifications@github.com>:

I found the problem and rewrote a large chunk of the code. The only caveat is that all the rules must have a key name, otherwise it will not show up in the log. The log output is in a different order now too. Give the new code a try and let me know. Thanks.

On Thu, Jan 26, 2017 at 2:44 PM, TheSeraph < notifications@github.com> wrote:

Sure, here's the rule list just for testing:

[[REDACTED]@[REDACTED] ~]$ sudo auditctl -l

-w /etc/audit/rules.d/audit.rules -p rwa -k audit_tamper -w /root/ -p w -k FILE [[REDACTED]@[REDACTED] ~]$ sudo touch /root/test [[REDACTED]@[REDACTED] ~]$ sudo nano /etc/audit/rules.d/audit.rules

And then running commands that should flag them, and searching if the audit engine has caught them:

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k audit_tamper

---

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427356): auid=4294967295 ses=4294967295 op="add rule" key="audit_tamper" list=4 res=1

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427389): item=0 name="/etc/audit/rules.d/audit.rules" inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=CWD msg=audit(1485462627.392:2427389): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427389): arch=c000003e syscall=2 success=yes exit=3 a0=16ab3b0 a1=0 a2=7fff66b63700 a3=7fff66b63490 items=1 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:27 2017 type=PATH msg=audit(1485462627.392:2427390): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462627.392:2427390): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462627.392:2427390): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462627.392:2427390): arch=c000003e syscall=2 success=yes exit=3 a0=16ac630 a1=441 a2=1b6 a3=0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

time->Thu Jan 26 20:30:33 2017 type=PATH msg=audit(1485462633.756:2427391): item=2 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=1 name=(null) inode=1526 dev=fd:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL type=PATH msg=audit(1485462633.756:2427391): item=0 name="/etc/audit/rules.d/" inode=1525 dev=fd:02 mode=040750 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462633.756:2427391): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462633.756:2427391): arch=c000003e syscall=2 success=yes exit=3 a0=16af290 a1=241 a2=1b6 a3=7fff66b632d0 items=3 ppid=25070 pid=25071 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="nano" exe="/usr/bin/nano" key="audit_tamper"

[[REDACTED]@[REDACTED] ~]$ sudo ausearch -k FILE

time->Thu Jan 26 20:29:18 2017 type=CONFIG_CHANGE msg=audit(1485462558.937:2427357): auid=4294967295 ses=4294967295 op="add rule" key="FILE" list=4 res=1

time->Thu Jan 26 20:29:32 2017 type=PATH msg=audit(1485462572.309:2427365): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE type=PATH msg=audit(1485462572.309:2427365): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462572.309:2427365): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462572.309:2427365): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=14ff0c0 a2=0 a3=7fff5f897e20 items=2 ppid=25048 pid=25049 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="rm" exe="/usr/bin/rm" key="FILE"

time->Thu Jan 26 20:30:16 2017 type=PATH msg=audit(1485462616.629:2427383): item=1 name="/root/test" inode=9630 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE type=PATH msg=audit(1485462616.629:2427383): item=0 name="/root/" inode=16386 dev=fd:02 mode=040550 ouid=0 ogid=0 rdev=00:00 objtype=PARENT type=CWD msg=audit(1485462616.629:2427383): cwd="/home/[REDACTED]" type=SYSCALL msg=audit(1485462616.629:2427383): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ad328f6 a1=941 a2=1b6 a3=7fff5ad31f70 items=2 ppid=25068 pid=25069 auid=3644 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=983 comm="touch" exe="/usr/bin/touch" key="FILE"

Finally looking through the audisp-simplify log to see if they exist in there.

[[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep

'key="audit_tamper"' NO RESULTS [[REDACTED]@[REDACTED] ~]$ sudo cat /var/log/audisp-simplify | grep 'key="FILE"' type="" auditid=504374 node="[REDACTED].[REDACTED]. com" date="2017-01-26" time="19:08:48+0000" pid=20205 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules.prev" cwd="/" type="" auditid=504376 node="[REDACTED].[REDACTED]. com" date="2017-01-26" time="19:08:48+0000" pid=20206 user="root" origuser="" key="FILE" tty="(none)" ppid=20191 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=548506 node="[REDACTED].[REDACTED]. com" date="2017-01-26" time="19:11:01+0000" pid=20592 user="root" origuser="" key="FILE" tty="(none)" ppid=20577 exe="/usr/bin/cp" name="/etc/audit/audit.rules" cwd="/" type="" auditid=2302372 node="[REDACTED].[REDACTED]. com" date="2017-01-26" time="20:25:43+0000" pid=24011 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=24010 exe="/usr/bin/touch" name="" cwd="" type="" auditid=2427365 node="[REDACTED].[REDACTED]. com" date="2017-01-26" time="20:29:32+0000" pid=25049 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25048 exe="/usr/bin/rm" name="/root/test" cwd="/home/[REDACTED]" type="" auditid=2427383 node="[REDACTED].[REDACTED]. com" date="2017-01-26" time="20:30:16+0000" pid=25069 user="root" origuser="[REDACTED]" key="FILE" tty="pts0" ppid=25068 exe="/usr/bin/touch" name="/root/test" cwd="/home/[REDACTED]" [[REDACTED]@[REDACTED] ~]$

Hope that helps?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/ profile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2017-01-26 2:29 GMT+00:00 mtkirby < notifications@github.com :

Are you seeing the data in the log, but not with the key name? Can you send me an example of the audit rules you are setting?

Thanks.

On Wed, Jan 25, 2017 at 3:28 PM, TheSeraph < notifications@github.com

wrote:

Hey, sorry for the late reply. I've been looking deeper into the key thing, and I've noticed that I don't always see keys assigned in the log. As you've mentioned, I took a look to see if my rules were starting up and they are. I see them with auditctl -l and I'll see the key in ausearch. but if I grep the audisp-simplify log, I will not find the key. Now here's the interesting thing: your keys work, but not my custom ones. Ideas?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification Badge Details] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email [image: GIAC Advisory Board Badge Details] https://www.youracclaim.com/p rofile/badges/6df6988d-2083- 4d68-b52b-f0a0eb216150

2016-11-04 15:50 GMT+00:00 mtkirby < notifications@github.com :

Keyname logging is already supported. They will show up in the logfile as key="". If you are not seeing the keynames in the simplify log, check to make sure you have the keys properly set in the audit.rules file. Use "auditctl -l" to double-check. If you do not see your rules with the keynames, you can reload your rules with "auditctl -R /etc/audit/rules.d/audit. rules" (if CentOS7) or "auditctl -R /etc/audit/audit.rules (if CentOS6). Another way to check to make sure your keyname rules are loaded is to use ausearch. To use your example, you would want to run "ausearch -k Bobo". If ausearch shows the logs with your keyname, but do not see them in the simplify log, let me know and we can troubleshoot further. Thanks.

On Fri, Nov 4, 2016 at 4:07 AM, TheSeraph < notifications@github.com> wrote:

Heyo, I had some more questions abotu your genius work, and maybe I can help to improve some of it. I noticed keys don't appear in the simplify log, so let's say you create an audit rule and you label it with a "-k Bobo". On the local system if you use auditctl (I think) you can search via that key and pull up all the things with it. Is there a way to include that in the simplify log?

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/b adges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-10 11:27 GMT+01:00 Troy Cunningham < troy@arkferos.com :

Thanks, seems to be working now!

Thanks, Troy Cunningham 0746 974 3916 Troy@Arkferos.com [image: GIAC GSEC Certification] https://www.youracclaim.com/ badges/83e82d75-eb91-4d7c- a1aa-3d62b87a0340/email

2016-10-08 18:50 GMT+01:00 mtkirby < notifications@github.com :

Closed #1 <https://github.com/mtkirby/ audisp-simplify/issues/1 .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://github.com/mtkirby/ audisp-simplify/issues/1# event-817145331 , or mute the thread https://github.com/ notifications/unsubscribe- auth/AK3b9cx-MF8NS9fagq- PO92r0AI9Nsokks5qx9fYgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/au disp-simplify/issues/1# issuecomment-258377225, or mute the thread https://github.com/notifications/unsubscribe- auth/ AM7vlLqtXDYp85ypKA6Tnpm4aV12V1 xxks5q6vXlgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/ audisp-simplify/issues/1# issuecomment-258469142, or mute the thread https://github.com/notifications/unsubscribe- auth/ AK3b9aByRLEhDJCbWN3vqEIXYqsfJe iSks5q61Q7gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/ audisp-simplify/issues/1# issuecomment-275238299, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlDvc7acXVI7d4TiuY0iUGF9bWa8Tks5rV75ygaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275293677, or mute the thread https://github.com/notifications/unsubscribe-auth/ AK3b9bKZh9PmKLTBEPF5hwyqjqPqLLKOks5rWAUbgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275508073, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlGVh9eCJhXyicP0tsSbR4QIKCCWJks5rWQWygaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275956524, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9di9iQbQOCBMj8K_ JKSLqDgpJ8sdks5rXSV8gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-275957131, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlI0wwQ6tkqucAZVVDtmzV_-pKFomks5rXSfYgaJpZM4KQzao

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-275958493, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9ZvGg V95TL78ltvG7Hh8cvSdrsx2ks5rXS02gaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276165762, or mute the thread https://github.com/notifications/unsubscribe-auth/ AM7vlAsHSdR46e5PiqLG8AFa0Cskwv2Rks5rXjsrgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issueco mment-276275775, or mute the thread https://github.com/notifications/unsubscribe-auth/AK3b9SmA_ pjrnJY8lUee3GkCI5_Sj3pYks5rXsBrgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-276690143, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlIUZxq-g81jne- u22sEKt8iGuGxgks5rYKbfgaJpZM4KQzao .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1# issuecomment-277545663, or mute the thread https://github.com/notifications/unsubscribe- auth/AK3b9T4AnEXclTGn9C0d2FUe_K23PMjHks5rZi2RgaJpZM4KQzao .

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/1#issuecomment-277634990, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlKFRQva1uMkub-npFzcv_NgvxYwiks5rZu4LgaJpZM4KQzao .