{"id":103,"date":"2015-01-09T15:10:28","date_gmt":"2015-01-09T15:10:28","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=103"},"modified":"2017-12-08T10:49:18","modified_gmt":"2017-12-08T10:49:18","slug":"the-auditd-module","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=103","title":{"rendered":"The auditd module"},"content":{"rendered":"<p>The <code>auditd<\/code> module is a <a title=\"Dissection modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131\">dissection module<\/a>: its purpose is to take an Orchids event, parse its last field (which should be a string) and return a refined Orchids events, with additional fields. Typically, the <code>auditd<\/code> module is meant to dissect text coming from the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> or <a title=\"The bintotext module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=121\"><code>bintotext<\/code><\/a> modules, parsing it as an <a title=\"auditd\" href=\"https:\/\/doc.opensuse.org\/products\/draft\/SLES\/SLES-security_sd_draft\/cha.audit.scenarios.html#sec.audit.scenfs\">auditd<\/a> record.<\/p>\n<h3>Configuration options<\/h3>\n<p>None.<\/p>\n<p>Admissible event sources (on Linux systems) are:<\/p>\n<ul>\n<li>a text file such as <code>\/var\/log\/audit\/audit.log<\/code>, read through the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module (offline detection);<\/li>\n<li>a TCP Unix socket such as <code>\/var\/run\/audispd_events<\/code>, read through the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module (detection from an online, local feed); the name of the socket is specified in the <code>audispd<\/code> configuration file <code>\/etc\/audisp\/plugins.d\/af_unix.conf<\/code>;<\/li>\n<li>a UDP Internet socket, read through the the <a title=\"The udp module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=171\"><code>udp<\/code><\/a> and <a title=\"The bintotext module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=121\"><code>bintotext<\/code><\/a> modules (for remote feeds, using <code>\/sbin\/audisp-remote<\/code>).<\/li>\n<\/ul>\n<h3>Fields<\/h3>\n<p>The <code>auditd<\/code> module only parses some of the fields of an auditd record. This is mostly geared towards reporting system calls only, but it also reports some other kinds of events, see below.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.node<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>reporting host name; used with <a title=\"audisp-remote\" href=\"https:\/\/linux.die.net\/man\/8\/audisp-remote\">audisp-remote<\/a><\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.type<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td>\u2713<\/td>\n<td>type of event (<code>SYSCALL<\/code>, <code>PATH<\/code>, or other)<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.time<\/code><\/td>\n<td><code>timeval<\/code><\/td>\n<td>\u2713<\/td>\n<td>reporting time<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.serial<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td>\u2713<\/td>\n<td>event serial number<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"SYSCALL\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.arch<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>Elf architecture flags<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.syscall<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>syscall number<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.per<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>personality (optional)<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.success<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>syscall success<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.exit<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>exit value<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.a0<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>syscall argument 0<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.a1<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>syscall argument 1<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td>&#8230;<\/td>\n<td>\u00a0&#8230;<\/td>\n<td><\/td>\n<td>\u00a0&#8230;<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.a127<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>syscall argument 127<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.items<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>number of path records in the event<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.ppid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>parent pid<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.pid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>process id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.auid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>process auid<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.uid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.gid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.euid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>effective user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.suid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>set user id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.fsuid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>file system user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.egid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>effective group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.sgid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>set group id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.fsgid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>file system group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.tty<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>tty interface<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.ses<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>user&#8217;s SE Linux user account<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.comm<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>command line program name<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.exe<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>executable name<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.subj<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>lspp subject&#8217;s context string<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.key<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>tty interface<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"PATH\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.item<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>item<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.name<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>the file name<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.inode<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>inode number<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.mode<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>mode<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.dev<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>device (64*major+minor)<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.ouid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>originator uid (beware, also object uid, see below)<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.ogid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>originator gid<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.rdev<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>real device (64*major+minor)<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.nametype<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>nametype, may be &#8220;<code>PARENT<\/code>&#8221; or &#8220;<code>NORMAL<\/code>&#8220;<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"CWD\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.cwd<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>the current working directory<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"PROCTITLE\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.proctitle<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>process title or identifier<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"EXECVE\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.argc<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>number of arguments to execve, e.g., 3 for &#8220;tail&#8221; &#8220;-f&#8221; &#8220;audit.log&#8221;<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.s0<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>execve argument 0<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.s1<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>execve argument 1<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td>&#8230;<\/td>\n<td>\u00a0&#8230;<\/td>\n<td><\/td>\n<td>\u00a0&#8230;<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.s127<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>execve argument 127<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"ANOM_ABEND\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.auid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>process auid<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.uid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.gid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.ses<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>user&#8217;s SE Linux user account<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.pid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>process id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.comm<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>command line program name<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.exe<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>executable name<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.sig<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>signal number<\/td>\n<\/tr>\n<tr style=\"background-color: powderblue;\">\n<td colspan=\"4\">If <code>.auditd.type==\"OBJ_PID\"<\/code>:<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.opid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>object pid<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.oauid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>object audit user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.ouid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>object user id (beware: also originator uid, see above)<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.oses<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>object session number<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.auditd.obj<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>object reference<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.auditd.ocomm<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>object command<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>The auditd module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a string) and return a refined Orchids events, with additional fields. Typically, the auditd module is meant to dissect text coming from the textfile or bintotext modules, parsing it as an auditd record. &hellip; <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=103\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The auditd module<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-103","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=103"}],"version-history":[{"count":18,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/103\/revisions"}],"predecessor-version":[{"id":724,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/103\/revisions\/724"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}