diff --git a/linux_audit_logs/assets/logs/linux-audit-logs.yaml b/linux_audit_logs/assets/logs/linux-audit-logs.yaml index 0a8f99294e05b..70c61e1d158e4 100644 --- a/linux_audit_logs/assets/logs/linux-audit-logs.yaml +++ b/linux_audit_logs/assets/logs/linux-audit-logs.yaml @@ -405,3 +405,1480 @@ pipeline: enabled: true sources: - status + - type: pipeline + name: Parsing User Role Assign logs + enabled: true + filter: + query: "@type:ROLE_ASSIGN" + processors: + - type: attribute-remapper + name: Map `msg.new-seuser` to `target_user_name` + enabled: true + sources: + - msg.new-seuser + sourceType: attribute + target: target_user_name + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: grok-parser + name: Convert `msg.new-role` into an array + enabled: true + source: msg.new-role + samples: + - staff_r + grok: + supportRules: "" + matchRules: rule_convert_role_into_array %{data:privileges:array} + - type: pipeline + name: Parsing User Role Remove logs + enabled: true + filter: + query: "@type:ROLE_REMOVE" + processors: + - type: attribute-remapper + name: Map `msg.old-seuser` to `target_user_name` + enabled: true + sources: + - msg.old-seuser + sourceType: attribute + target: target_user_name + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: grok-parser + name: Convert `msg.old-role` into an array + enabled: true + source: msg.old-role + samples: + - staff_r + grok: + supportRules: "" + matchRules: rule_convert_role_into_array %{data:privileges:array} + - type: pipeline + name: OCSF pre transformations + enabled: true + filter: + query: "@type:(ADD_GROUP OR DEL_GROUP OR ADD_USER OR DEL_USER OR USER_CHAUTHTOK + OR USER_AUTH OR ROLE_ASSIGN OR ROLE_REMOVE OR PATH OR USER_ROLE_CHANGE + OR USER_SELINUX_ERR OR DAEMON_CONFIG OR DAEMON_ABORT OR + USER_MAC_CONFIG_CHANGE OR MAC_CONFIG_CHANGE OR MAC_STATUS OR + MAC_POLICY_LOAD OR AVC OR CONFIG_CHANGE OR SYSCALL)" + processors: + - type: string-builder-processor + name: Add product name + enabled: true + template: Linux Audit + target: ocsf.metadata.product.name + replaceMissing: false + - type: string-builder-processor + name: Add product vendor + enabled: true + template: Linux + target: ocsf.metadata.product.vendor_name + replaceMissing: false + - type: pipeline + name: OCSF sub pipeline for class Base Event [0] + enabled: true + filter: + query: "@type:(USER_ROLE_CHANGE OR USER_SELINUX_ERR OR DAEMON_CONFIG OR + DAEMON_ABORT OR USER_MAC_CONFIG_CHANGE OR MAC_CONFIG_CHANGE OR + MAC_STATUS OR MAC_POLICY_LOAD OR AVC OR CONFIG_CHANGE OR SYSCALL)" + processors: + - type: schema-processor + name: Apply OCSF schema for 0 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: Base Event + classUid: 0 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.status_id + categories: + - filter: + query: "@msg.res:success" + name: Success + id: 1 + - filter: + query: "@msg.res:failed" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.metadata + sources: + - ocsf.metadata + sourceType: attribute + target: ocsf.metadata + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product + sources: + - ocsf.metadata.product + sourceType: attribute + target: ocsf.metadata.product + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.time + sources: + - timestamp + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.name + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.vendor_name + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.event_code + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - type: pipeline + name: OCSF sub pipeline for class Authentication [3002] + enabled: true + filter: + query: "@type:USER_AUTH" + processors: + - type: string-builder-processor + name: Set ocsf.actor.session.uid attribute + enabled: true + template: "%{ses}" + target: ocsf.actor.session.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.process.user.uid attribute + enabled: true + template: "%{usr.id}" + target: ocsf.actor.process.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.user.uid attribute + enabled: true + template: "%{auid}" + target: ocsf.actor.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.user.uid attribute + enabled: true + template: "%{msg.id}" + target: ocsf.user.uid + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 3002 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: Authentication + classUid: 3002 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "@type:USER_AUTH" + name: Logon + id: 1 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.status_id + categories: + - filter: + query: "@msg.res:success" + name: Success + id: 1 + - filter: + query: "@msg.res:failed" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.metadata + sources: + - ocsf.metadata + sourceType: attribute + target: ocsf.metadata + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product + sources: + - ocsf.metadata.product + sourceType: attribute + target: ocsf.metadata.product + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.time + sources: + - timestamp + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.name + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.event_code + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.vendor_name + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.pid + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.uid + sources: + - ocsf.actor.user.uid + sourceType: attribute + target: ocsf.actor.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.uid + sources: + - ocsf.actor.session.uid + sourceType: attribute + target: ocsf.actor.session.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.name + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user + sources: + - ocsf.user + sourceType: attribute + target: ocsf.user + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user.name + sources: + - msg.acct + sourceType: attribute + target: ocsf.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.terminal + sources: + - msg.terminal + sourceType: attribute + target: ocsf.actor.session.terminal + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.dst_endpoint.ip + sources: + - network.client.ip + sourceType: attribute + target: ocsf.dst_endpoint.ip + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.dst_endpoint.hostname + sources: + - msg.hostname + sourceType: attribute + target: ocsf.dst_endpoint.hostname + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.name + sources: + - usr.name + sourceType: attribute + target: ocsf.actor.process.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.uid + sources: + - ocsf.actor.process.user.uid + sourceType: attribute + target: ocsf.actor.process.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.path + sources: + - msg.exe + sourceType: attribute + target: ocsf.actor.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user.uid + sources: + - ocsf.user.uid + sourceType: attribute + target: ocsf.user.uid + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - type: pipeline + name: OCSF sub pipeline for class Account Change [3001] + enabled: true + filter: + query: "@type:(ADD_USER OR DEL_USER OR USER_CHAUTHTOK)" + processors: + - type: string-builder-processor + name: Set ocsf.actor.session.uid attribute + enabled: true + template: "%{ses}" + target: ocsf.actor.session.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.process.user.uid attribute + enabled: true + template: "%{usr.id}" + target: ocsf.actor.process.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.user.uid attribute + enabled: true + template: "%{auid}" + target: ocsf.actor.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.user.uid attribute + enabled: true + template: "%{msg.id}" + target: ocsf.user.uid + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 3001 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: Account Change + classUid: 3001 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "@type:ADD_USER" + name: Create + id: 1 + - filter: + query: "@type:DEL_USER" + name: Delete + id: 6 + - filter: + query: "@type:USER_CHAUTHTOK" + name: Password Change + id: 3 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.status_id + categories: + - filter: + query: "@msg.res:success" + name: Success + id: 1 + - filter: + query: "@msg.res:failed" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.metadata + sources: + - ocsf.metadata + sourceType: attribute + target: ocsf.metadata + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product + sources: + - ocsf.metadata.product + sourceType: attribute + target: ocsf.metadata.product + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.time + sources: + - timestamp + sourceType: attribute + target: ocsf.time + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.name + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.event_code + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.vendor_name + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.pid + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.uid + sources: + - ocsf.actor.process.user.uid + sourceType: attribute + target: ocsf.actor.process.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.uid + sources: + - ocsf.actor.user.uid + sourceType: attribute + target: ocsf.actor.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.uid + sources: + - ocsf.actor.session.uid + sourceType: attribute + target: ocsf.actor.session.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.name + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.name + sources: + - usr.name + sourceType: attribute + target: ocsf.actor.process.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user + sources: + - ocsf.user + sourceType: attribute + target: ocsf.user + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user.name + sources: + - msg.acct + sourceType: attribute + target: ocsf.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user.uid + sources: + - ocsf.user.uid + sourceType: attribute + target: ocsf.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint.ip + sources: + - network.client.ip + sourceType: attribute + target: ocsf.src_endpoint.ip + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint.hostname + sources: + - msg.hostname + sourceType: attribute + target: ocsf.src_endpoint.hostname + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.terminal + sources: + - msg.terminal + sourceType: attribute + target: ocsf.actor.session.terminal + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.path + sources: + - msg.exe + sourceType: attribute + target: ocsf.actor.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - type: pipeline + name: OCSF sub pipeline for class Group Management [3006] + enabled: true + filter: + query: "@type:(ADD_GROUP OR DEL_GROUP)" + processors: + - type: string-builder-processor + name: Set ocsf.actor.session.uid attribute + enabled: true + template: "%{ses}" + target: ocsf.actor.session.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.process.user.uid attribute + enabled: true + template: "%{usr.id}" + target: ocsf.actor.process.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.user.uid attribute + enabled: true + template: "%{auid}" + target: ocsf.actor.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.group.uid attribute + enabled: true + template: "%{msg.id}" + target: ocsf.group.uid + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 3006 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: Group Management + classUid: 3006 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: type:ADD_GROUP + name: Create + id: 6 + - filter: + query: "@type:ADD_GROUP" + name: Create + id: 6 + - filter: + query: "@type:DEL_GROUP" + name: Delete + id: 5 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.metadata + sources: + - ocsf.metadata + sourceType: attribute + target: ocsf.metadata + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product + sources: + - ocsf.metadata.product + sourceType: attribute + target: ocsf.metadata.product + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.group + sources: + - ocsf.group + sourceType: attribute + target: ocsf.group + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.time + sources: + - timestamp + sourceType: attribute + target: ocsf.time + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.name + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.event_code + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.group.name + sources: + - msg.acct + sourceType: attribute + target: ocsf.group.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.vendor_name + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.pid + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.uid + sources: + - ocsf.actor.process.user.uid + sourceType: attribute + target: ocsf.actor.process.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.uid + sources: + - ocsf.actor.user.uid + sourceType: attribute + target: ocsf.actor.user.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.uid + sources: + - ocsf.actor.session.uid + sourceType: attribute + target: ocsf.actor.session.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.status_id + categories: + - filter: + query: "@msg.res:success" + name: Success + id: 1 + - filter: + query: "@msg.res:failed" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.actor.user.name + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.name + sources: + - usr.name + sourceType: attribute + target: ocsf.actor.process.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.group.uid + sources: + - ocsf.group.uid + sourceType: attribute + target: ocsf.group.uid + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint.hostname + sources: + - msg.hostname + sourceType: attribute + target: ocsf.src_endpoint.hostname + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint.ip + sources: + - network.client.ip + sourceType: attribute + target: ocsf.src_endpoint.ip + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.terminal + sources: + - msg.terminal + sourceType: attribute + target: ocsf.actor.session.terminal + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.path + sources: + - msg.exe + sourceType: attribute + target: ocsf.actor.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - type: pipeline + name: OCSF sub pipeline for class User Access Management [3005] + enabled: true + filter: + query: "@type:(ROLE_ASSIGN OR ROLE_REMOVE)" + processors: + - type: string-builder-processor + name: Set ocsf.actor.session.uid attribute + enabled: true + template: "%{ses}" + target: ocsf.actor.session.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.process.user.uid attribute + enabled: true + template: "%{usr.id}" + target: ocsf.actor.process.user.uid + replaceMissing: false + - type: string-builder-processor + name: Set ocsf.actor.user.uid attribute + enabled: true + template: "%{auid}" + target: ocsf.actor.user.uid + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 3005 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: User Access Management + classUid: 3005 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "@type:ROLE_REMOVE" + name: Revoke Privileges + id: 2 + - filter: + query: "@type:ROLE_ASSIGN" + name: Assign Privileges + id: 1 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.status_id + categories: + - filter: + query: "@msg.res:success" + name: Success + id: 1 + - filter: + query: "@msg.res:failed" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.metadata + sources: + - ocsf.metadata + sourceType: attribute + target: ocsf.metadata + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product + sources: + - ocsf.metadata.product + sourceType: attribute + target: ocsf.metadata.product + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.time + sources: + - timestamp + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.privileges + sources: + - privileges + sourceType: attribute + target: ocsf.privileges + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user + sources: + - ocsf.user + sourceType: attribute + target: ocsf.user + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.name + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.vendor_name + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.user.name + sources: + - target_user_name + sourceType: attribute + target: ocsf.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.pid + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.uid + sources: + - uid + sourceType: attribute + target: ocsf.actor.process.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.user.name + sources: + - usr.name + sourceType: attribute + target: ocsf.actor.process.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.uid + sources: + - ocsf.actor.user.uid + sourceType: attribute + target: ocsf.actor.user.uid + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.name + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user + sources: + - ocsf.actor.user + sourceType: attribute + target: ocsf.actor.user + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor + sources: + - ocsf.actor + sourceType: attribute + target: ocsf.actor + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.event_code + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint + sources: + - ocsf.src_endpoint + sourceType: attribute + target: ocsf.src_endpoint + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint.hostname + sources: + - msg.hostname + sourceType: attribute + target: ocsf.src_endpoint.hostname + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.src_endpoint.ip + sources: + - network.client.ip + sourceType: attribute + target: ocsf.src_endpoint.ip + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.process.path + sources: + - msg.exe + sourceType: attribute + target: ocsf.actor.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.session.terminal + sources: + - msg.terminal + sourceType: attribute + target: ocsf.actor.session.terminal + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - type: pipeline + name: OCSF sub pipeline for class File System Activity [1001] + enabled: true + filter: + query: "@type:PATH" + processors: + - type: grok-parser + name: Extracting file or folder name + enabled: true + source: name + samples: + - /etc/shadow + - /run/ + - /run/nginx.pid + grok: + supportRules: file_or_folder_path (/%{regex("[^/]*")})* + matchRules: >- + rule_extract_folder_name + %{file_or_folder_path}/%{regex("[^/]*"):folder_name}/ + + rule_extract_file_name %{file_or_folder_path}/%{data:file_name} + - type: grok-parser + name: Extracting file extention + enabled: true + source: file_name + samples: + - nginx.pid + - libcrypt.so.1 + - ld.so.cache + grok: + supportRules: "" + matchRules: >- + rule_extract_file_extention_1 + (%{regex("[^.]*")}.)+%{word:ocsf.file.ext}.%{number} + + rule_extract_file_extention_2 (%{regex("[^.]*")}.)+%{word:ocsf.file.ext} + - type: string-builder-processor + name: Set ocsf.file.name attribute + enabled: true + template: "%{folder_name}%{file_name}" + target: ocsf.file.name + replaceMissing: true + - type: string-builder-processor + name: Set ocsf.actor.user.uid attribute + enabled: true + template: "%{ouid}%{usr.id}" + target: ocsf.actor.user.uid + replaceMissing: true + - type: schema-processor + name: Apply OCSF schema for 1001 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: File System Activity + classUid: 1001 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "@nametype:UNKNOWN" + name: Unknown + id: 0 + - filter: + query: "@nametype:CREATE" + name: Create + id: 1 + - filter: + query: "@nametype:(PARENT OR NORMAL)" + name: Read + id: 2 + - filter: + query: "@nametype:DELETE" + name: Delete + id: 4 + - filter: + query: "-@nametype:(CREATE OR DELETE PARENT OR NORMAL OR UNKNOWN)" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.file.type_id + categories: + - filter: + query: "@file_name:*" + name: Regular File + id: 1 + - filter: + query: "@folder_name:*" + name: Folder + id: 2 + targets: + name: ocsf.file.type + id: ocsf.file.type_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.status_id + categories: + - filter: + query: "@msg.res:success" + name: Success + id: 1 + - filter: + query: "@msg.res:failed" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.device.type_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.device.type + id: ocsf.device.type_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.metadata + sources: + - ocsf.metadata + sourceType: attribute + target: ocsf.metadata + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product + sources: + - ocsf.metadata.product + sourceType: attribute + target: ocsf.metadata.product + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.time + sources: + - timestamp + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.name + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.product.vendor_name + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.metadata.event_code + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.uid + sources: + - ocsf.actor.user.uid + sourceType: attribute + target: ocsf.actor.user.uid + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user.name + sources: + - usr.name + sourceType: attribute + target: ocsf.actor.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor.user + sources: + - ocsf.actor.user + sourceType: attribute + target: ocsf.actor.user + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.actor + sources: + - ocsf.actor + sourceType: attribute + target: ocsf.actor + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.file + sources: + - ocsf.file + sourceType: attribute + target: ocsf.file + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.file.name + sources: + - ocsf.file.name + sourceType: attribute + target: ocsf.file.name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.file.path + sources: + - name + sourceType: attribute + target: ocsf.file.path + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.file.ext + sources: + - ocsf.file.ext + sourceType: attribute + target: ocsf.file.ext + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.device + sources: + - ocsf.device + sourceType: attribute + target: ocsf.device + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.device.uid + sources: + - dev + sourceType: attribute + target: ocsf.device.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper diff --git a/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml b/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml index 9a26ac78c437c..e67b2c8180899 100644 --- a/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml +++ b/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml @@ -25,6 +25,23 @@ tests: geoip: invalidAddress: "?" ip: "?" + ocsf: + activity_id: 99 + activity_name: "Other" + category_uid: 0 + class_name: "Base Event" + class_uid: 0 + metadata: + event_code: "USER_MAC_CONFIG_CHANGE" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + status: "Success" + status_id: 1 + time: 1736329118112 pid: 381980 post_msg_kv: "" pre_msg_kv: "" @@ -65,6 +82,42 @@ tests: client: geoip: {} ip: "10.10.10.10" + ocsf: + activity_id: 1 + activity_name: "Logon" + actor: + process: + path: "/usr/sbin/sshd" + pid: 155615 + user: + name: "root" + uid: "0" + session: + terminal: "ssh" + uid: "4294967295" + user: + name: "unset" + uid: "4294967295" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Authentication" + class_uid: 3002 + dst_endpoint: + hostname: "10.10.10.10" + ip: "10.10.10.10" + metadata: + event_code: "USER_AUTH" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + status: "Success" + status_id: 1 + time: 1740139921923 + user: + name: "devuser" pid: 155615 post_msg_kv: "" pre_msg_kv: "" @@ -92,6 +145,23 @@ tests: msg: res: "success" msg_raw: "" + ocsf: + activity_id: 99 + activity_name: "Other" + category_uid: 0 + class_name: "Base Event" + class_uid: 0 + metadata: + event_code: "MAC_STATUS" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + status: "Success" + status_id: 1 + time: 1740386730535 old-enabled: 1 old_enforcing: 1 post_msg_kv: "" @@ -119,6 +189,21 @@ tests: ino: 1 msg_raw: "" name: "/" + ocsf: + activity_id: 99 + activity_name: "Other" + category_uid: 0 + class_name: "Base Event" + class_uid: 0 + metadata: + event_code: "AVC" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1669185724533 operation: "getattr" outcome: "DENIED" permissive: 0 @@ -154,6 +239,21 @@ tests: geoip: invalidAddress: "?" ip: "?" + ocsf: + activity_id: 99 + activity_name: "Other" + category_uid: 0 + class_name: "Base Event" + class_uid: 0 + metadata: + event_code: "USER_SELINUX_ERR" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1669714331555 pid: 1 post_msg_kv: "" pre_msg_kv: "" @@ -187,6 +287,23 @@ tests: client: geoip: {} ip: "10.10.10.10" + ocsf: + activity_id: 99 + activity_name: "Other" + category_uid: 0 + class_name: "Base Event" + class_uid: 0 + metadata: + event_code: "USER_ROLE_CHANGE" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + status: "Success" + status_id: 1 + time: 1741000050325 pid: 60958 post_msg_kv: "" pre_msg_kv: "" @@ -211,6 +328,21 @@ tests: linux_audit_logs: bool: "virt_use_nfs" msg_raw: "" + ocsf: + activity_id: 99 + activity_name: "Other" + category_uid: 0 + class_name: "Base Event" + class_uid: 0 + metadata: + event_code: "MAC_CONFIG_CHANGE" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1678360880644 old_val: 0 post_msg_kv: "" pre_msg_kv: "" @@ -247,6 +379,42 @@ tests: geoip: invalidAddress: "?" ip: "?" + ocsf: + activity_id: 6 + activity_name: "Create" + actor: + process: + path: "/usr/sbin/groupadd" + pid: 12258 + user: + name: "root" + uid: "0" + session: + terminal: "pts/3" + uid: "535" + user: + name: "serviceuser" + uid: "1001" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Group Management" + class_uid: 3006 + group: + uid: "1004" + metadata: + event_code: "ADD_GROUP" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "ub10-10-10-10" + ip: "?" + status: "Success" + status_id: 1 + time: 1.740980591704E12 pid: 12258 post_msg_kv: "" pre_msg_kv: "" @@ -262,4 +430,722 @@ tests: status: "ok" tags: - "source:LOGS_SOURCE" - timestamp: 1740980591704 \ No newline at end of file + timestamp: 1740980591704 + - + sample: "type=DEL_GROUP msg=audit(1765794074.279:2333): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-group grp=\"testuser\" acct=\"testuser\" exe=\"/usr/sbin/userdel\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\"" + result: + custom: + AUID: "serviceuser" + auid: 1001 + event_id: 2333 + msg: + acct: "testuser" + exe: "/usr/sbin/userdel" + grp: "testuser" + hostname: "localhost" + op: + - "delete-group" + res: "success" + terminal: "pts/1" + msg_raw: "" + network: + client: + geoip: + invalidAddress: "?" + ip: "?" + ocsf: + activity_id: 5 + activity_name: "Delete" + actor: + process: + path: "/usr/sbin/userdel" + pid: 161731 + user: + name: "root" + uid: "0" + session: + terminal: "pts/1" + uid: "27" + user: + name: "serviceuser" + uid: "1001" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Group Management" + class_uid: 3006 + group: + name: "testuser" + metadata: + event_code: "DEL_GROUP" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "localhost" + ip: "?" + status: "Success" + status_id: 1 + time: 1.765794074279E12 + pid: 161731 + post_msg_kv: "" + pre_msg_kv: "" + ses: 27 + status: "ok" + subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" + timestamp: 1.765794074279E12 + type: "DEL_GROUP" + usr: + id: 0 + name: "root" + message: "type=DEL_GROUP msg=audit(1765794074.279:2333): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-group grp=\"testuser\" acct=\"testuser\" exe=\"/usr/sbin/userdel\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\"" + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1765794074279 + - + sample: "type=ADD_USER msg=audit(1635509157.089:345): pid=73290 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct=\"serviceuser\" exe=\"/usr/sbin/useradd\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" + result: + custom: + AUID: "root" + auid: 0 + event_id: 345 + msg: + acct: "serviceuser" + exe: "/usr/sbin/useradd" + hostname: "localhost" + op: + - "add-user" + res: "success" + terminal: "pts/1" + msg_raw: "" + network: + client: + geoip: + invalidAddress: "?" + ip: "?" + ocsf: + activity_id: 1 + activity_name: "Create" + actor: + process: + path: "/usr/sbin/useradd" + pid: 73290 + user: + name: "root" + uid: "0" + session: + terminal: "pts/1" + uid: "3" + user: + name: "root" + uid: "0" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + metadata: + event_code: "ADD_USER" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "localhost" + ip: "?" + status: "Success" + status_id: 1 + time: 1.635509157089E12 + user: + name: "serviceuser" + pid: 73290 + post_msg_kv: "" + pre_msg_kv: "" + ses: 3 + status: "ok" + subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" + timestamp: 1.635509157089E12 + type: "ADD_USER" + usr: + id: 0 + name: "root" + message: "type=ADD_USER msg=audit(1635509157.089:345): pid=73290 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct=\"serviceuser\" exe=\"/usr/sbin/useradd\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1635509157089 + - + sample: "type=DEL_USER msg=audit(1740379094.277:2332): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-user id=1003 exe=\"/usr/sbin/userdel\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"testuser\"" + result: + custom: + AUID: "serviceuser" + ID: "testuser" + auid: 1001 + event_id: 2332 + msg: + exe: "/usr/sbin/userdel" + hostname: "localhost" + id: 1003 + op: + - "delete-user" + res: "success" + terminal: "pts/1" + msg_raw: "" + network: + client: + geoip: + invalidAddress: "?" + ip: "?" + ocsf: + activity_id: 6 + activity_name: "Delete" + actor: + process: + path: "/usr/sbin/userdel" + pid: 161731 + user: + name: "root" + uid: "0" + session: + terminal: "pts/1" + uid: "27" + user: + name: "serviceuser" + uid: "1001" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + metadata: + event_code: "DEL_USER" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "localhost" + ip: "?" + status: "Success" + status_id: 1 + time: 1.740379094277E12 + user: + uid: "1003" + pid: 161731 + post_msg_kv: "" + pre_msg_kv: "" + ses: 27 + status: "ok" + subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" + timestamp: 1.740379094277E12 + type: "DEL_USER" + usr: + id: 0 + name: "root" + message: "type=DEL_USER msg=audit(1740379094.277:2332): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-user id=1003 exe=\"/usr/sbin/userdel\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"testuser\"" + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740379094277 + - + sample: "type=USER_CHAUTHTOK msg=audit(1635509189.860:347): pid=73297 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct=\"serviceuser\" exe=\"/usr/bin/passwd\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" + result: + custom: + AUID: "root" + auid: 0 + event_id: 347 + msg: + acct: "serviceuser" + exe: "/usr/bin/passwd" + grantors: + - "pam_pwquality" + - "pam_unix" + hostname: "localhost" + op: + - "PAM:chauthtok" + res: "success" + terminal: "pts/1" + msg_raw: "" + network: + client: + geoip: + invalidAddress: "?" + ip: "?" + ocsf: + activity_id: 3 + activity_name: "Password Change" + actor: + process: + path: "/usr/bin/passwd" + pid: 73297 + user: + name: "root" + uid: "0" + session: + terminal: "pts/1" + uid: "3" + user: + name: "root" + uid: "0" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + metadata: + event_code: "USER_CHAUTHTOK" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "localhost" + ip: "?" + status: "Success" + status_id: 1 + time: 1.63550918986E12 + user: + name: "serviceuser" + pid: 73297 + post_msg_kv: "" + pre_msg_kv: "" + ses: 3 + status: "ok" + subj: "unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023" + timestamp: 1.63550918986E12 + type: "USER_CHAUTHTOK" + usr: + id: 0 + name: "root" + message: "type=USER_CHAUTHTOK msg=audit(1635509189.860:347): pid=73297 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct=\"serviceuser\" exe=\"/usr/bin/passwd\" hostname=localhost addr=? terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1635509189860 + - + sample: "type=ROLE_ASSIGN msg=audit(1740720945.670:879): pid=11107 uid=0 auid=1001 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser-role,range id=0 old-seuser=user_u old-role=user_r old-range=s0 new-seuser=user_u new-role=staff_r new-range=? exe=/sbin/semanage hostname=localhost addr=? terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"root\"" + result: + custom: + AUID: "serviceuser" + ID: "root" + auid: 1001 + event_id: 879 + msg: + exe: "/sbin/semanage" + hostname: "localhost" + id: 0 + new-range: "?" + new-role: "staff_r" + new-seuser: "user_u" + old-range: "s0" + old-role: "user_r" + old-seuser: "user_u" + op: + - "seuser-role" + - "range" + res: "success" + terminal: "pts/0" + msg_raw: "" + network: + client: + geoip: + invalidAddress: "?" + ip: "?" + ocsf: + activity_id: 1 + activity_name: "Assign Privileges" + actor: + process: + path: "/sbin/semanage" + pid: 11107 + user: + name: "root" + uid: "0" + session: + terminal: "pts/0" + uid: "21" + user: + name: "serviceuser" + uid: "1001" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "User Access Management" + class_uid: 3005 + metadata: + event_code: "ROLE_ASSIGN" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + privileges: + - "staff_r" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "localhost" + ip: "?" + status: "Success" + status_id: 1 + time: 1740720945670 + user: + name: "user_u" + pid: 11107 + post_msg_kv: "" + pre_msg_kv: "" + privileges: + - "staff_r" + ses: 21 + status: "ok" + subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" + target_user_name: "user_u" + timestamp: 1.74072094567E12 + type: "ROLE_ASSIGN" + usr: + id: 0 + name: "root" + message: "type=ROLE_ASSIGN msg=audit(1740720945.670:879): pid=11107 uid=0 auid=1001 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser-role,range id=0 old-seuser=user_u old-role=user_r old-range=s0 new-seuser=user_u new-role=staff_r new-range=? exe=/sbin/semanage hostname=localhost addr=? terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"root\"" + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740720945670 + - + sample: "type=ROLE_REMOVE msg=audit(1740130059.788:1002): pid=49119 uid=0 auid=1001 ses=17 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser id=0 old-seuser=test1 old-role=user_r old-range=s0 new-seuser=? new-role=? new-range=? exe=/sbin/semanage hostname=localhost addr=? terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"devuser\" ID=\"root\"" + result: + custom: + AUID: "devuser" + ID: "root" + auid: 1001 + event_id: 1002 + msg: + exe: "/sbin/semanage" + hostname: "localhost" + id: 0 + new-range: "?" + new-role: "?" + new-seuser: "?" + old-range: "s0" + old-role: "user_r" + old-seuser: "test1" + op: + - "seuser" + res: "success" + terminal: "pts/0" + msg_raw: "" + network: + client: + geoip: + invalidAddress: "?" + ip: "?" + ocsf: + activity_id: 2 + activity_name: "Revoke Privileges" + actor: + process: + path: "/sbin/semanage" + pid: 49119 + user: + name: "root" + uid: "0" + session: + terminal: "pts/0" + uid: "17" + user: + name: "devuser" + uid: "1001" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "User Access Management" + class_uid: 3005 + metadata: + event_code: "ROLE_REMOVE" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + privileges: + - "user_r" + severity: "Informational" + severity_id: 1 + src_endpoint: + hostname: "localhost" + ip: "?" + status: "Success" + status_id: 1 + time: 1740130059788 + user: + name: "test1" + pid: 49119 + post_msg_kv: "" + pre_msg_kv: "" + privileges: + - "user_r" + ses: 17 + status: "ok" + subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" + target_user_name: "test1" + timestamp: 1.740130059788E12 + type: "ROLE_REMOVE" + usr: + id: 0 + name: "root" + message: "type=ROLE_REMOVE msg=audit(1740130059.788:1002): pid=49119 uid=0 auid=1001 ses=17 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser id=0 old-seuser=test1 old-role=user_r old-range=s0 new-seuser=? new-role=? new-range=? exe=/sbin/semanage hostname=localhost addr=? terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"devuser\" ID=\"root\"" + status: "ok" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740130059788 + - + sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/etc/shadow\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + result: + custom: + OGID: "root" + cap_fe: 0 + cap_fi: 0 + cap_fp: 0 + cap_frootid: 0 + cap_fver: 0 + dev: "fd:03" + event_id: 2247 + file_name: "shadow" + inode: 50314523 + item: 0 + mode: 100000 + msg_raw: "" + name: "/etc/shadow" + nametype: "NORMAL" + obj: "system_u:object_r:shadow_t:s0" + ocsf: + activity_id: 2 + activity_name: "Read" + actor: + user: + name: "root" + uid: "0" + category_name: "System Activity" + category_uid: 1 + class_name: "File System Activity" + class_uid: 1001 + device: + type: "Unknown" + type_id: 0 + uid: "fd:03" + file: + name: "shadow" + path: "/etc/shadow" + type: "Regular File" + type_id: 1 + metadata: + event_code: "PATH" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1740378301873 + ogid: 0 + post_msg_kv: "" + pre_msg_kv: "" + rdev: "00:00" + timestamp: 1.740378301873E12 + type: "PATH" + usr: + id: 0 + name: "root" + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/etc/shadow\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740378301873 + - + sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/x86_64-linux-gnu/libcrypt.so.1\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + result: + custom: + OGID: "root" + cap_fe: 0 + cap_fi: 0 + cap_fp: 0 + cap_frootid: 0 + cap_fver: 0 + dev: "fd:03" + event_id: 2247 + file_name: "libcrypt.so.1" + inode: 50314523 + item: 0 + mode: 100000 + msg_raw: "" + name: "/lib/x86_64-linux-gnu/libcrypt.so.1" + nametype: "DELETE" + obj: "system_u:object_r:shadow_t:s0" + ocsf: + activity_id: 4 + activity_name: "Delete" + actor: + user: + name: "root" + uid: "0" + category_name: "System Activity" + category_uid: 1 + class_name: "File System Activity" + class_uid: 1001 + device: + type: "Unknown" + type_id: 0 + uid: "fd:03" + file: + ext: "so" + name: "libcrypt.so.1" + path: "/lib/x86_64-linux-gnu/libcrypt.so.1" + type: "Regular File" + type_id: 1 + metadata: + event_code: "PATH" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1740378301873 + ogid: 0 + post_msg_kv: "" + pre_msg_kv: "" + rdev: "00:00" + timestamp: 1.740378301873E12 + type: "PATH" + usr: + id: 0 + name: "root" + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/x86_64-linux-gnu/libcrypt.so.1\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740378301873 + - + sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + result: + custom: + OGID: "root" + cap_fe: 0 + cap_fi: 0 + cap_fp: 0 + cap_frootid: 0 + cap_fver: 0 + dev: "fd:03" + event_id: 2247 + folder_name: "lib" + inode: 50314523 + item: 0 + mode: 100000 + msg_raw: "" + name: "/lib/" + nametype: "PARENT" + obj: "system_u:object_r:shadow_t:s0" + ocsf: + activity_id: 2 + activity_name: "Read" + actor: + user: + name: "root" + uid: "0" + category_name: "System Activity" + category_uid: 1 + class_name: "File System Activity" + class_uid: 1001 + device: + type: "Unknown" + type_id: 0 + uid: "fd:03" + file: + name: "lib" + path: "/lib/" + type: "Folder" + type_id: 2 + metadata: + event_code: "PATH" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1740378301873 + ogid: 0 + post_msg_kv: "" + pre_msg_kv: "" + rdev: "00:00" + timestamp: 1.740378301873E12 + type: "PATH" + usr: + id: 0 + name: "root" + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740378301873 + - + sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/run/nginx.pid\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + result: + custom: + OGID: "root" + cap_fe: 0 + cap_fi: 0 + cap_fp: 0 + cap_frootid: 0 + cap_fver: 0 + dev: "fd:03" + event_id: 2247 + file_name: "nginx.pid" + inode: 50314523 + item: 0 + mode: 100000 + msg_raw: "" + name: "/run/nginx.pid" + nametype: "CREATE" + obj: "system_u:object_r:shadow_t:s0" + ocsf: + activity_id: 1 + activity_name: "Create" + actor: + user: + name: "root" + uid: "0" + category_name: "System Activity" + category_uid: 1 + class_name: "File System Activity" + class_uid: 1001 + device: + type: "Unknown" + type_id: 0 + uid: "fd:03" + file: + ext: "pid" + name: "nginx.pid" + path: "/run/nginx.pid" + type: "Regular File" + type_id: 1 + metadata: + event_code: "PATH" + product: + name: "Linux Audit" + vendor_name: "Linux" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1740378301873 + ogid: 0 + post_msg_kv: "" + pre_msg_kv: "" + rdev: "00:00" + timestamp: 1.740378301873E12 + type: "PATH" + usr: + id: 0 + name: "root" + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/run/nginx.pid\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + tags: + - "source:LOGS_SOURCE" + timestamp: 1740378301873 \ No newline at end of file