Log Types: LinuxKAudit

Owned by Leigh Purdie (Unlicensed)
Sept 16, 2020
4 min read

Overview

Prior to the integration of an in-kernel audit subsystem for the GNU/Linux operating system, the Snare for Linux agent included a linux loadable kernel module, which monitored key system calls, and pushed the resulting event data to userspace.

More modern versions of the Snare for Linux agents now integrate into the updated audit logging capability, and the older snare kernel module has been deprecated. Logs from the updated audit subsystem have been allocated the LinuxKAudit log type, to differentiate them from the original LinuxAudit category.

The Linux audit subsystem generates token-based events, with tabs separating content associated with each token.

Collection

Snare for Linux will generate LinuxKAudit log data by integrating into the audit subsystem available within the Linux kernel.

Sample Events

Snare for Linux will prefix any event with a hostname, a logtype and a criticality. An example eventlog, after being processed by the Snare Server collection filters follows:
2015-09-13 20:30:01 VMSLED10SP2X32 LinuxAudit 872072 execve unknown root root root /usr/bin/find 0 1 null exe,/usr/bin/find success,yes return,0 syscall,11,execve uid,unknown euid,root gid,root egid,root arch, name,null a0,80cdef8 a1,80cf498 a2,80cc640 a3,0 items,2 ppid,5640 pid,5660 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none comm,find key,obj-1-0 a0,find a1,/var/spool/cron/lastrun a2,-type a3,f cwd,/root item,0 inode,21131 dev,08:02 mode,0100755 ouid,0 ogid,0 rdev,00:00 item,1 inode,13606 dev,08:02 mode,0100755 ouid,0 ogid,0 rdev,00:00 snareseq,457765 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/usr/bin/find

A raw log prior to processing looks like this:
VMubuntu1404x64 LinuxKAudit 0 event,execve,2015-09-14 01:25:01 sequence,1261327 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/bin/dash return,0,yes name,/lib64/ld-linux-x86-64.so.2. exe,/bin/dash success,yes return,0 syscall,59,execve uid,unknown euid,root gid,root egid,root arch, name,/lib64/ld-linux-x86-64.so.2 a0,7f5738bd62a0 a1,7f5738bd6240 a2,7f5738bd6260 a3,7f57387e4a10 items,3 ppid,13839 pid,13840 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none ses,4294967295 comm,debian-sa1 key,obj-1-0 argc,4 a0,/bin/sh a1,/usr/lib/sysstat/debian-sa1 a2,1 a3,1 cwd,/root item,0 inode,823041 dev,fc:00 mode,0100755 ouid,0 ogid,0 rdev,00:00 nametype,NORMAL item,1 inode,393236 dev,fc:00 mode,0100755 ouid,0 ogid,0 rdev,00:00 nametype,NORMAL item,2 inode,1048930 dev,fc:00 mode,0100755 ouid,0 ogid,0 rdev,00:00 nametype,NORMAL snareseq,304838

Another two examples:

VMubuntu1404x64 LinuxKAudit 0 event,logout,2015-09-14 01:25:01 sequence,1261329 uid,-1,root euid,, gid,, egid,, process,,/usr/sbin/cron return,0,yes name, exe,/usr/sbin/cron success,yes return,0 syscall,,logout uid,root euid , gid, egid, arch, name, pid,13838 uid,0 ses,4294967295 msg,PAM:session_close hostname,? addr,? comm,cron snareseq,304840
VMubuntu1404x64 LinuxKAudit 0 event,setuid,2015-09-14 01:25:01 sequence,1261325 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/usr/sbin/cron return,0,yes. name, exe,/usr/sbin/cron success,yes return,0 syscall,105,setuid uid,unknown euid,root gid,root egid,root arch, name, a0,0 a1,0 a2,7f392f55f330 a3,7f392f55f330 items,0 ppid,13838 pid,13839 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none ses,4294967295 comm,cron key,obj-3-4 snareseq,304836

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

LinuxKAudit

EVENTCOUNT

Internal event sequence number

EVENTID

A description of the event - eg: open(O_RDONLY)

RUID

Real User ID assigned at login

RGID

Real Group ID assigned at login

EUID

Effective User ID

EGID

Effective Group ID

PROCESS

Process name

RETURNCODE

Return Code

SUCCESS

An indication of whether the event succeeded or failed

TARGET

For some events, file or application targets will be placed into this field

STRINGS

Other event content that has not been integrated into other fields

Notes

As highlighted in the sample logs above, field order and field count is not guaranteed across events.

For example, parent process ID (ppid) can be found in the execve event, but not in the logout event. 'Sess' can be found after tty, and before 'comm' in exec and setuid, but is between 'uid' and 'msg' in logout.

Key tokens that are generally found in a significant quantity of LinuxKAudit event logs include:

  • event (eventid, date/time)

  • uid (ruid, real user name)

  • auid (auid, audit username)

  • euid (euid, effective username)

  • gid (gid, group name)

  • egid (egid, effective group name)

  • process (pid, process name)

  • success (return code, success/failure)

  • return (return code, success/failure)

  • exe (process)

    • NOTE that the linux audit subsystem will sometimes use " exe" (with a space before the token).

  • name (target)

  • sequence (sequence number)