Renamed auditd module fields #6080
Conversation
andrewkroh
added
in progress
| "action": "accepted-connection-from", | ||
| "category": "audit-rule", | ||
| "module": "auditd", | ||
| "type": "syscall" |
There was a problem hiding this comment.
Nice usage of type, module and category.
| "user": { | ||
| "auid": "unset", | ||
| "egid": "0", | ||
| "euid": "0", |
There was a problem hiding this comment.
These are the the ids which would also end up in user.id: [...] I assume?
There was a problem hiding this comment.
Yes. Do you think I should add that now? I could add it later.
There was a problem hiding this comment.
No need to add it now as it's just an addition / feature.
andrewkroh
force-pushed
the
feature/ab/auditd-event-format
branch
from
96f5459 to
cdc991e
Compare
|
I updated this with fields.yml changes, squashed, and give it a useful commit message. Please use the Rebase and Merge to keep the vendor changes separate from code changes. |
andrewkroh
added
v6.2.0
and removed
in progress
| description: > | ||
| The name of the module that generated the event. | ||
|
|
||
| - name: event.action |
There was a problem hiding this comment.
@MikePaquette That is an interesting field. I wonder if we can reuse this.
| type: text | ||
| description: The path to the file. | ||
| multi_fields: | ||
| - name: raw |
There was a problem hiding this comment.
@andrewkroh Potentially something we should support in ECS by default.
| fields: | ||
| - name: action | ||
| - name: user |
There was a problem hiding this comment.
I kind strange naming as it's user.selinux.user. Should this be account?
| type: keyword | ||
| description: This is the path associated with a unix socket. | ||
|
|
||
| - name: network.direction |
There was a problem hiding this comment.
Fingers cross that this is not changing ;-)
There was a problem hiding this comment.
I think we need to standardize on the enum values.
There was a problem hiding this comment.
+1 on having a recommend standard.
| - name: how | ||
| type: keyword | ||
| description: > | ||
| This describes how the action was performed. Usually this is the exe | ||
| or command that was being executed that triggered the event. | ||
| - name: key | ||
|
|
||
| - name: paths |
There was a problem hiding this comment.
It is usually a list of raw path objects so I named with a plural. Is that the correct way to do it?
There was a problem hiding this comment.
My argument is normally to make it singular as long as it's not an array, as the user that is accessing it only looks for a single item and the "key" for this entry reads correct. Here for example paths.inode, inode is only one path. But I have this conversation often with @exekias and we probably agreed to disagree 😆
| - name: saddr | ||
| type: keyword | ||
| description: The raw socket address structure. | ||
| - name: addr |
There was a problem hiding this comment.
I suggest not to use abbreviation for address.
There was a problem hiding this comment.
I opted for addr because that's the exact name coming from the kernel. But I can rename this is go-libaudit.
|
@andrewkroh This PR needs a make update. |
Updating to bc29b128d4099fb834634afb535241f1608fb2f0.
- Update to latest go-libaudit. - Fixed an issue where the proctitle value was being truncated. - Fixed an issue where process args were incorrectly interpretted as hex data. - Fixed parsing of the `key` value when multiple keys are present. - Added a warning to the examples rules about the cost of auditing all network traffic. - Changed the event format to allow for some common fields between modules. - Updated fields.yml. The dashboards need to be updated due to the field changes.
andrewkroh
force-pushed
the
feature/ab/auditd-event-format
branch
from
4d135cc to
e9870c3
Compare
|
I rebased it to fix some merge conflicts caused by me merging another PR. |
|
@andrewkroh I merged this to get the major change in. We can still continue to discuss the minor details. |
Updates to the auditd module
keyvalue when multiple keys are present.The dashboards need to be updated due to the field changes.
Closes #5423