-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] auditd_manager file.mode does not capture the correct file mode #137
Labels
Comments
Original data, as reference: I added the preserve_original_event option. So here's me running the command "dash -p" using a non-suid binary, which is also indicated by the suid=1005 within the original message:
```
{
"_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001",
"_id": "ZycqtYgB1fhN-eteZO5K",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "",
"id": "",
"ephemeral_id": "",
"type": "auditbeat",
"version": "8.8.0"
},
"process": {
"args": [
"dash",
"-p"
],
"parent": {
"pid": 2380071
},
"name": "dash",
"pid": 2380458,
"title": "dash -p",
"executable": "/usr/bin/dash"
},
"elastic_agent": {
"id": "b3cfb28b-925f-460e-b025-9bee61092a5e",
"version": "8.8.0",
"snapshot": false
},
"auditd": {
"result": "success",
"summary": {
"actor": {
"secondary": "1005",
"primary": "1005"
},
"how": "/usr/bin/dash",
"object": {
"type": "file",
"primary": "/usr/bin/dash"
}
},
"data": {
"argc": 2,
"a1": "55d85d70a000",
"syscall": "execve",
"a2": "55d85d720450",
"exit": "0",
"a3": "8",
"tty": "pts0",
"arch": "x86_64",
"a0": "55d85d60bc10"
},
"session": "1456",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"mode": "0100755",
"cap_fver": "0",
"inode": "1593",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"messages": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"message_type": "syscall",
"user": {
"saved": {
"id": "1005",
"group": {
"id": "1006"
}
},
"audit": {
"id": "1005"
},
"selinux": {
"user": "unconfined"
},
"filesystem": {
"id": "1005",
"group": {
"id": "1006"
}
}
}
},
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"cloud": {
"availability_zone": "europe-west4-a",
"instance": {
"name": "",
"id": ""
},
"provider": "gcp",
"machine": {
"type": "e2-standard-4"
},
"service": {
"name": "GCE"
},
"project": {
"id": ""
},
"region": "europe-west4",
"account": {
"id": ""
}
},
"@timestamp": "2023-06-13T14:30:33.304Z",
"file": {
"inode": "1593",
"mode": "0755",
"uid": "0",
"path": "/usr/bin/dash",
"gid": "0",
"device": "00:00"
},
"ecs": {
"version": "8.8.0"
},
"service": {
"type": "auditd"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "auditd_manager.auditd"
},
"host": {
"hostname": "",
"os": {
"kernel": "5.15.0-1034-gcp",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
],
"name": "",
"id": "",
"mac": [
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"sequence": 28864261,
"ingested": "2023-06-13T14:30:34Z",
"original": "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70",
"kind": "event",
"module": "auditd",
"action": "executed",
"type": [
"start"
],
"category": [
"process"
],
"dataset": "auditd_manager.auditd",
"outcome": "success"
},
"user": {
"id": "1005",
"group": {
"id": "1006"
}
}
},
"fields": {
"file.mode": [
"0755"
],
"file.path": [
"/usr/bin/dash"
],
"elastic_agent.version": [
"8.8.0"
],
"event.category": [
"process"
],
"process.name.text": [
"dash"
],
"auditd.user.saved.id": [
"1005"
],
"process.parent.pid": [
2380071
],
"host.hostname": [
""
],
"auditd.message_type": [
"syscall"
],
"process.pid": [
2380458
],
"host.mac": [
],
"cloud.availability_zone": [
"europe-west4-a"
],
"process.title.text": [
"dash -p"
],
"auditd.data.exit": [
"0"
],
"service.type": [
"auditd"
],
"auditd.user.audit.id": [
"1005"
],
"host.os.version": [
"20.04.6 LTS (Focal Fossa)"
],
"host.os.name": [
"Ubuntu"
],
"agent.name": [
""
],
"host.name": [
""
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"event.outcome": [
"success"
],
"auditd.data.tty": [
"pts0"
],
"file.path.text": [
"/usr/bin/dash"
],
"event.original": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"cloud.region": [
"europe-west4"
],
"user.id": [
"1005"
],
"host.os.type": [
"linux"
],
"auditd.user.selinux.user": [
"unconfined"
],
"auditd.data.a2": [
"55d85d720450"
],
"auditd.data.a3": [
"8"
],
"auditd.messages": [
"type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70"
],
"data_stream.type": [
"logs"
],
"auditd.result": [
"success"
],
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"dash"
],
"cloud.machine.type": [
"e2-standard-4"
],
"cloud.provider": [
"gcp"
],
"cloud.service.name": [
"GCE"
],
"agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"auditd.data.a0": [
"55d85d60bc10"
],
"file.device": [
"00:00"
],
"auditd.summary.object.primary": [
"/usr/bin/dash"
],
"auditd.data.a1": [
"55d85d70a000"
],
"ecs.version": [
"8.8.0"
],
"host.containerized": [
false
],
"auditd.summary.actor.primary": [
"1005"
],
"agent.version": [
"8.8.0"
],
"user.group.id": [
"1006"
],
"process.title": [
"dash -p"
],
"host.os.family": [
"debian"
],
"auditd.data.arch": [
"x86_64"
],
"file.gid": [
"0"
],
"auditd.user.saved.group.id": [
"1006"
],
"file.uid": [
"0"
],
"auditd.user.filesystem.id": [
"1005"
],
"auditd.paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"mode": "0100755",
"cap_fver": "0",
"inode": "1593",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"cloud.instance.id": [
""
],
"event.sequence": [
28864261
],
"host.ip": [
"10.164.0.7",
"fe80::4001:aff:fea4:7",
"172.17.0.1",
"172.18.0.1"
],
"agent.type": [
"auditbeat"
],
"process.executable.text": [
"/usr/bin/dash"
],
"auditd.summary.how": [
"/usr/bin/dash"
],
"event.module": [
"auditd"
],
"host.os.kernel": [
"5.15.0-1034-gcp"
],
"file.inode": [
"1593"
],
"elastic_agent.snapshot": [
false
],
"auditd.data.argc": [
2
],
"host.id": [
"212700a348f6f2c886f0f22bfcd692fa"
],
"process.executable": [
"/usr/bin/dash"
],
"auditd.summary.object.type": [
"file"
],
"elastic_agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"dash",
"-p"
],
"auditd.data.syscall": [
"execve"
],
"auditd.summary.actor.secondary": [
"1005"
],
"event.action": [
"executed"
],
"event.ingested": [
"2023-06-13T14:30:34.000Z"
],
"@timestamp": [
"2023-06-13T14:30:33.304Z"
],
"host.os.platform": [
"ubuntu"
],
"cloud.account.id": [
""
],
"event.type": [
"start"
],
"auditd.user.filesystem.group.id": [
"1006"
],
"data_stream.dataset": [
"auditd_manager.auditd"
],
"auditd.session": [
"1456"
],
"agent.ephemeral_id": [
"40451141-402f-436a-bb40-fae58389a104"
],
"event.dataset": [
"auditd_manager.auditd"
],
"cloud.instance.name": [
""
],
"cloud.project.id": [
""
]
}
}
```
And here is the document when running dash -p with suid enabled, you can also see that suid is set to 0, aka root, with a mode of 6755 (in the original message)
```
{
"_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001",
"_id": "iycptYgB1fhN-eteIsWZ",
"_version": 1,
"_score": 0,
"_source": {
"process": {
"args": [
"dash",
"-p"
],
"parent": {
"pid": 2380071
},
"name": "dash",
"pid": 2380168,
"title": "dash -p",
"executable": "/usr/bin/dash"
},
"agent": {
"name": "",
"id": "",
"ephemeral_id": "",
"type": "auditbeat",
"version": "8.8.0"
},
"elastic_agent": {
"id": "b3cfb28b-925f-460e-b025-9bee61092a5e",
"version": "8.8.0",
"snapshot": false
},
"auditd": {
"summary": {
"actor": {
"secondary": "1005",
"primary": "1005"
},
"how": "/usr/bin/dash",
"object": {
"type": "file",
"primary": "/usr/bin/dash"
}
},
"result": "success",
"data": {
"argc": 2,
"a1": "55d85d69c970",
"a2": "55d85d720450",
"syscall": "execve",
"exit": "0",
"a3": "8",
"tty": "pts0",
"arch": "x86_64",
"a0": "55d85d6719d0"
},
"session": "1456",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"inode": "1593",
"mode": "0106755",
"cap_fver": "0",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"messages": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"message_type": "syscall",
"user": {
"saved": {
"id": "0",
"group": {
"id": "0"
}
},
"audit": {
"id": "1005"
},
"selinux": {
"user": "unconfined"
},
"filesystem": {
"id": "0",
"group": {
"id": "0"
}
}
}
},
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"cloud": {
"availability_zone": "europe-west4-a",
"instance": {
"name": "",
"id": ""
},
"provider": "gcp",
"service": {
"name": "GCE"
},
"machine": {
"type": "e2-standard-4"
},
"project": {
"id": "elastic-security-research"
},
"region": "europe-west4",
"account": {
"id": ""
}
},
"@timestamp": "2023-06-13T14:29:11.525Z",
"file": {
"inode": "1593",
"mode": "0755",
"uid": "0",
"path": "/usr/bin/dash",
"gid": "0",
"device": "00:00"
},
"ecs": {
"version": "8.8.0"
},
"service": {
"type": "auditd"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "auditd_manager.auditd"
},
"host": {
"hostname": "",
"os": {
"kernel": "5.15.0-1034-gcp",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.6 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
},
"event": {
"agent_id_status": "verified",
"sequence": 28860764,
"ingested": "2023-06-13T14:29:11Z",
"original": "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70",
"kind": "event",
"module": "auditd",
"action": "executed",
"type": [
"start"
],
"category": [
"process"
],
"dataset": "auditd_manager.auditd",
"outcome": "success"
},
"user": {
"effective": {
"id": "0",
"group": {
"id": "0"
}
},
"id": "1005",
"group": {
"id": "1006"
}
}
},
"fields": {
"file.mode": [
"0755"
],
"file.path": [
"/usr/bin/dash"
],
"elastic_agent.version": [
"8.8.0"
],
"event.category": [
"process"
],
"process.name.text": [
"dash"
],
"auditd.user.saved.id": [
"0"
],
"process.parent.pid": [
2380071
],
"auditd.message_type": [
"syscall"
]
"process.pid": [
2380168
],
"host.mac": [
"02-42-19-91-5B-16",
"02-42-65-CE-47-9F",
"42-01-0A-A4-00-07"
],
"cloud.availability_zone": [
"europe-west4-a"
],
"process.title.text": [
"dash -p"
],
"auditd.data.exit": [
"0"
],
"service.type": [
"auditd"
],
"auditd.user.audit.id": [
"1005"
],
"host.os.version": [
"20.04.6 LTS (Focal Fossa)"
],
"host.os.name": [
"Ubuntu"
]
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"event.outcome": [
"success"
],
"auditd.data.tty": [
"pts0"
],
"file.path.text": [
"/usr/bin/dash"
],
"event.original": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"cloud.region": [
"europe-west4"
],
"user.id": [
"1005"
],
"host.os.type": [
"linux"
],
"auditd.user.selinux.user": [
"unconfined"
],
"auditd.data.a2": [
"55d85d720450"
],
"auditd.data.a3": [
"8"
],
"auditd.messages": [
"type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"",
"type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"",
"type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
"type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70"
],
"data_stream.type": [
"logs"
],
"auditd.result": [
"success"
],
"tags": [
"susp_shell",
"preserve_original_event",
"auditd_manager-auditd"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"dash"
],
"cloud.machine.type": [
"e2-standard-4"
],
"cloud.provider": [
"gcp"
],
"cloud.service.name": [
"GCE"
],
"agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"auditd.data.a0": [
"55d85d6719d0"
],
"file.device": [
"00:00"
],
"auditd.summary.object.primary": [
"/usr/bin/dash"
],
"auditd.data.a1": [
"55d85d69c970"
],
"ecs.version": [
"8.8.0"
],
"host.containerized": [
false
],
"auditd.summary.actor.primary": [
"1005"
],
"agent.version": [
"8.8.0"
],
"user.group.id": [
"1006"
],
"process.title": [
"dash -p"
],
"host.os.family": [
"debian"
],
"user.effective.group.id": [
"0"
],
"auditd.data.arch": [
"x86_64"
],
"file.gid": [
"0"
],
"user.effective.id": [
"0"
],
"auditd.user.saved.group.id": [
"0"
],
"file.uid": [
"0"
],
"auditd.user.filesystem.id": [
"0"
],
"auditd.paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"inode": "1593",
"mode": "0106755",
"cap_fver": "0",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/bin/dash"
},
{
"item": "1",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0",
"cap_fp": "0",
"cap_frootid": "0",
"cap_fver": "0",
"inode": "4382",
"mode": "0100755",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/lib64/ld-linux-x86-64.so.2"
}
],
"cloud.instance.id": [
"5819226346140730406"
],
"event.sequence": [
28860764
],
"agent.type": [
"auditbeat"
],
"process.executable.text": [
"/usr/bin/dash"
],
"auditd.summary.how": [
"/usr/bin/dash"
],
"event.module": [
"auditd"
],
"host.os.kernel": [
"5.15.0-1034-gcp"
],
"file.inode": [
"1593"
],
"elastic_agent.snapshot": [
false
],
"auditd.data.argc": [
2
],
"host.id": [
"212700a348f6f2c886f0f22bfcd692fa"
],
"process.executable": [
"/usr/bin/dash"
],
"auditd.summary.object.type": [
"file"
],
"elastic_agent.id": [
"b3cfb28b-925f-460e-b025-9bee61092a5e"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"dash",
"-p"
],
"auditd.data.syscall": [
"execve"
],
"auditd.summary.actor.secondary": [
"1005"
],
"event.action": [
"executed"
],
"event.ingested": [
"2023-06-13T14:29:11.000Z"
],
"@timestamp": [
"2023-06-13T14:29:11.525Z"
],
"host.os.platform": [
"ubuntu"
],
"cloud.account.id": [
"elastic-security-research"
],
"event.type": [
"start"
],
"auditd.user.filesystem.group.id": [
"0"
]
}
}
```
|
andrewkroh
added a commit
to andrewkroh/go-libaudit
that referenced
this issue
Aug 10, 2023
The file.mode field was only including the permission bits. This expands the mask to include the SUID, SGID, and sticky bits. Fixes elastic#137
PR: #138 |
andrewkroh
added a commit
that referenced
this issue
Aug 10, 2023
The file.mode field was only including the permission bits. This expands the mask to include the SUID, SGID, and sticky bits. Fixes #137
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue
I opened this issue earlier at #integrations, so more context on this issue can be found issue #6525. The issue includes test data, and additional research. I got asked to open this issue here.
The issue:
I am working on a detection rule to detect the execution of SUID binaries, for which I wanted to use the
auditd_manager
file.mode
field. I have one document with a SUID bit set, showing the followingauditd.paths
:The document above with a mode of
2770
displays a mode of0770
in thefile.mode
field, which would indicate a non SUID binary.And I have another document that does not have a SUID bit set, showing the following auditd.paths :
This document with a mode of
0755
displays a mode of0755
in thefile.mode
field, which would also indicate a non SUID binary.The actual auditd.paths flattend object does have the correct value in there, so I think it should be possible have the
file.mode
field display the correct file mode.It does seem to capture it correctly in both the original message and the auditd.paths. It would also be an option to add the suid, fsuid, sgid and fsgid fields.
The text was updated successfully, but these errors were encountered: