Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auparse -i doens't create multiple netfilter_cfg events as a list #71

Open
knibbl opened this issue Jul 8, 2020 · 1 comment
Open

auparse -i doens't create multiple netfilter_cfg events as a list #71

knibbl opened this issue Jul 8, 2020 · 1 comment

Comments

@knibbl
Copy link

knibbl commented Jul 8, 2020

By testing the auparse command I saw that it doesn't summarize the values correctly or as expected. I wanted to know if this is done by purpose or if this needs additional effort for the interpreter.

Here the example log:

type=NETFILTER_CFG msg=audit(1593786232.477:31): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1593786232.477:31): table=filter family=10 entries=0
type=SYSCALL msg=audit(1593786232.477:31): arch=c000003e syscall=272 success=yes exit=0 a0=40000000 a1=7fffd2436fb0 a2=40000040 a3=22 items=0 ppid=1 pid=769 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ostnamed)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1593786232.477:31): proctitle="(ostnamed)"

Here the command
auparse -i -format yaml

And the result

timestamp: 2020-07-03T14:23:52.477Z
sequence: 31
category: configuration
record_type: netfilter_cfg
result: success
session: unset
summary:
  actor:
    primary: unset
    secondary: root
  action: loaded-firewall-rule-to
  object:
    type: firewall
    primary: filter
  how: /usr/lib/systemd/systemd
user:
  ids:
    auid: unset
    egid: "0"
    euid: "0"
    fsgid: "0"
    fsuid: "0"
    gid: "0"
    sgid: "0"
    suid: "0"
    uid: "0"
  names:
    egid: root
    euid: root
    fsgid: root
    fsuid: root
    gid: root
    sgid: root
    suid: root
    uid: root
  selinux:
    domain: init_t
    level: s0
    role: system_r
    user: system_u
process:
  pid: "769"
  ppid: "1"
  title: (ostnamed)
  name: (ostnamed)
  exe: /usr/lib/systemd/systemd
data:
  a0: "40000000"
  a1: 7fffd2436fb0
  a2: "40000040"
  a3: "22"
  arch: x86_64
  entries: "0"
  exit: "0"
  family: "2"
  syscall: unshare
  table: filter
  tty: (none)
ecs:
  event:
    category:
    - process
    type:
    - info

As you can see in the output for the section data, there is no second entry for the second event with "family 10". Shouldn't that be part of the output, similar to your example with the list entries for type: PATH?
Thank you and regards.
@andrewkroh
Copy link
Member

I don't think there is any special handling for netfilter_cfg messages. IIRC it merges the fields into data so it's probably not overwriting the fields that already exist when the second message is added. In order to handle multiple netfilter_cfg messages in the same event there would need to be some special handling for that type in the code (like there is for paths).

@andrewkroh andrewkroh mentioned this issue Mar 9, 2023
Open
andrewkroh added a commit to andrewkroh/go-libaudit that referenced this issue Aug 29, 2023
@andrewkroh
Add failing test cases
7befc33 
Relates: elastic#127 elastic#71
@andrewkroh andrewkroh mentioned this issue Jan 3, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knibbl @andrewkroh