Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] auditd_manager file.mode does not capture the correct file mode #137

Closed
Aegrah opened this issue Aug 10, 2023 · 2 comments · Fixed by #138
Closed

[BUG] auditd_manager file.mode does not capture the correct file mode #137

Aegrah opened this issue Aug 10, 2023 · 2 comments · Fixed by #138
Assignees
@Aegrah
Labels
bug

Comments

@Aegrah
Copy link

Aegrah commented Aug 10, 2023
edited

Issue

I opened this issue earlier at #integrations, so more context on this issue can be found issue #6525. The issue includes test data, and additional research. I got asked to open this issue here.

The issue:

I am working on a detection rule to detect the execution of SUID binaries, for which I wanted to use the auditd_manager file.mode field. I have one document with a SUID bit set, showing the following auditd.paths:

[
  {
    "item": "0",
    "nametype": "NORMAL",
    "ogid": "0",
    "cap_fi": "0",
    "cap_fp": "0",
    "cap_frootid": "0",
    "cap_fver": "0",
    "inode": "135805",
    "mode": "0102770",
    "dev": "08:01",
    "ouid": "0",
    "rdev": "00:00",
    "cap_fe": "0",
    "name": "/usr/bin/nmap"
  } ]

The document above with a mode of 2770 displays a mode of 0770 in the file.mode field, which would indicate a non SUID binary.

And I have another document that does not have a SUID bit set, showing the following auditd.paths :

[
  {
    "item": "0",
    "nametype": "NORMAL",
    "ogid": "0",
    "cap_fi": "0",
    "cap_fp": "0",
    "cap_frootid": "0",
    "cap_fver": "0",
    "mode": "0100755",
    "inode": "135805",
    "dev": "08:01",
    "ouid": "0",
    "rdev": "00:00",
    "cap_fe": "0",
    "name": "/usr/bin/nmap"
  } ]

This document with a mode of 0755 displays a mode of 0755 in the file.mode field, which would also indicate a non SUID binary.

The actual auditd.paths flattend object does have the correct value in there, so I think it should be possible have the file.mode field display the correct file mode.

It does seem to capture it correctly in both the original message and the auditd.paths. It would also be an option to add the suid, fsuid, sgid and fsgid fields.
@Aegrah Aegrah added the bug label Aug 10, 2023
@Aegrah Aegrah self-assigned this Aug 10, 2023
@Aegrah
Copy link
Author

Aegrah commented Aug 10, 2023
edited by andrewkroh

Original data, as reference:

I added the preserve_original_event option. So here's me running the command "dash -p" using a non-suid binary, which is also indicated by the suid=1005 within the original message:

``` { "_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001", "_id": "ZycqtYgB1fhN-eteZO5K", "_version": 1, "_score": 0, "_source": { "agent": { "name": "", "id": "", "ephemeral_id": "", "type": "auditbeat", "version": "8.8.0" }, "process": { "args": [ "dash", "-p" ], "parent": { "pid": 2380071 }, "name": "dash", "pid": 2380458, "title": "dash -p", "executable": "/usr/bin/dash" }, "elastic_agent": { "id": "b3cfb28b-925f-460e-b025-9bee61092a5e", "version": "8.8.0", "snapshot": false }, "auditd": { "result": "success", "summary": { "actor": { "secondary": "1005", "primary": "1005" }, "how": "/usr/bin/dash", "object": { "type": "file", "primary": "/usr/bin/dash" } }, "data": { "argc": 2, "a1": "55d85d70a000", "syscall": "execve", "a2": "55d85d720450", "exit": "0", "a3": "8", "tty": "pts0", "arch": "x86_64", "a0": "55d85d60bc10" }, "session": "1456", "paths": [ { "item": "0", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "mode": "0100755", "cap_fver": "0", "inode": "1593", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/usr/bin/dash" }, { "item": "1", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "cap_fver": "0", "inode": "4382", "mode": "0100755", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/lib64/ld-linux-x86-64.so.2" } ], "messages": [ "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"", "type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"", "type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70" ], "message_type": "syscall", "user": { "saved": { "id": "1005", "group": { "id": "1006" } }, "audit": { "id": "1005" }, "selinux": { "user": "unconfined" }, "filesystem": { "id": "1005", "group": { "id": "1006" } } } }, "tags": [ "susp_shell", "preserve_original_event", "auditd_manager-auditd" ], "cloud": { "availability_zone": "europe-west4-a", "instance": { "name": "", "id": "" }, "provider": "gcp", "machine": { "type": "e2-standard-4" }, "service": { "name": "GCE" }, "project": { "id": "" }, "region": "europe-west4", "account": { "id": "" } }, "@timestamp": "2023-06-13T14:30:33.304Z", "file": { "inode": "1593", "mode": "0755", "uid": "0", "path": "/usr/bin/dash", "gid": "0", "device": "00:00" }, "ecs": { "version": "8.8.0" }, "service": { "type": "auditd" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "auditd_manager.auditd" }, "host": { "hostname": "", "os": { "kernel": "5.15.0-1034-gcp", "codename": "focal", "name": "Ubuntu", "type": "linux", "family": "debian", "version": "20.04.6 LTS (Focal Fossa)", "platform": "ubuntu" }, "containerized": false, "ip": [ ], "name": "", "id": "", "mac": [ ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 28864261, "ingested": "2023-06-13T14:30:34Z", "original": "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70", "kind": "event", "module": "auditd", "action": "executed", "type": [ "start" ], "category": [ "process" ], "dataset": "auditd_manager.auditd", "outcome": "success" }, "user": { "id": "1005", "group": { "id": "1006" } } }, "fields": { "file.mode": [ "0755" ], "file.path": [ "/usr/bin/dash" ], "elastic_agent.version": [ "8.8.0" ], "event.category": [ "process" ], "process.name.text": [ "dash" ], "auditd.user.saved.id": [ "1005" ], "process.parent.pid": [ 2380071 ], "host.hostname": [ "" ], "auditd.message_type": [ "syscall" ], "process.pid": [ 2380458 ], "host.mac": [ ], "cloud.availability_zone": [ "europe-west4-a" ], "process.title.text": [ "dash -p" ], "auditd.data.exit": [ "0" ], "service.type": [ "auditd" ], "auditd.user.audit.id": [ "1005" ], "host.os.version": [ "20.04.6 LTS (Focal Fossa)" ], "host.os.name": [ "Ubuntu" ], "agent.name": [ "" ], "host.name": [ "" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "event.outcome": [ "success" ], "auditd.data.tty": [ "pts0" ], "file.path.text": [ "/usr/bin/dash" ], "event.original": [ "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70" ], "cloud.region": [ "europe-west4" ], "user.id": [ "1005" ], "host.os.type": [ "linux" ], "auditd.user.selinux.user": [ "unconfined" ], "auditd.data.a2": [ "55d85d720450" ], "auditd.data.a3": [ "8" ], "auditd.messages": [ "type=SYSCALL msg=audit(1686666633.304:28864261): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d60bc10 a1=55d85d70a000 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380458 auid=1005 uid=1005 gid=1006 euid=1005 suid=1005 fsuid=1005 egid=1006 sgid=1006 fsgid=1006 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"", "type=EXECVE msg=audit(1686666633.304:28864261): argc=2 a0=\"dash\" a1=\"-p\"", "type=PATH msg=audit(1686666633.304:28864261): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PATH msg=audit(1686666633.304:28864261): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PROCTITLE msg=audit(1686666633.304:28864261): proctitle=64617368002D70" ], "data_stream.type": [ "logs" ], "auditd.result": [ "success" ], "tags": [ "susp_shell", "preserve_original_event", "auditd_manager-auditd" ], "host.architecture": [ "x86_64" ], "process.name": [ "dash" ], "cloud.machine.type": [ "e2-standard-4" ], "cloud.provider": [ "gcp" ], "cloud.service.name": [ "GCE" ], "agent.id": [ "b3cfb28b-925f-460e-b025-9bee61092a5e" ], "auditd.data.a0": [ "55d85d60bc10" ], "file.device": [ "00:00" ], "auditd.summary.object.primary": [ "/usr/bin/dash" ], "auditd.data.a1": [ "55d85d70a000" ], "ecs.version": [ "8.8.0" ], "host.containerized": [ false ], "auditd.summary.actor.primary": [ "1005" ], "agent.version": [ "8.8.0" ], "user.group.id": [ "1006" ], "process.title": [ "dash -p" ], "host.os.family": [ "debian" ], "auditd.data.arch": [ "x86_64" ], "file.gid": [ "0" ], "auditd.user.saved.group.id": [ "1006" ], "file.uid": [ "0" ], "auditd.user.filesystem.id": [ "1005" ], "auditd.paths": [ { "item": "0", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "mode": "0100755", "cap_fver": "0", "inode": "1593", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/usr/bin/dash" }, { "item": "1", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "cap_fver": "0", "inode": "4382", "mode": "0100755", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/lib64/ld-linux-x86-64.so.2" } ], "cloud.instance.id": [ "" ], "event.sequence": [ 28864261 ], "host.ip": [ "10.164.0.7", "fe80::4001:aff:fea4:7", "172.17.0.1", "172.18.0.1" ], "agent.type": [ "auditbeat" ], "process.executable.text": [ "/usr/bin/dash" ], "auditd.summary.how": [ "/usr/bin/dash" ], "event.module": [ "auditd" ], "host.os.kernel": [ "5.15.0-1034-gcp" ], "file.inode": [ "1593" ], "elastic_agent.snapshot": [ false ], "auditd.data.argc": [ 2 ], "host.id": [ "212700a348f6f2c886f0f22bfcd692fa" ], "process.executable": [ "/usr/bin/dash" ], "auditd.summary.object.type": [ "file" ], "elastic_agent.id": [ "b3cfb28b-925f-460e-b025-9bee61092a5e" ], "data_stream.namespace": [ "default" ], "host.os.codename": [ "focal" ], "process.args": [ "dash", "-p" ], "auditd.data.syscall": [ "execve" ], "auditd.summary.actor.secondary": [ "1005" ], "event.action": [ "executed" ], "event.ingested": [ "2023-06-13T14:30:34.000Z" ], "@timestamp": [ "2023-06-13T14:30:33.304Z" ], "host.os.platform": [ "ubuntu" ], "cloud.account.id": [ "" ], "event.type": [ "start" ], "auditd.user.filesystem.group.id": [ "1006" ], "data_stream.dataset": [ "auditd_manager.auditd" ], "auditd.session": [ "1456" ], "agent.ephemeral_id": [ "40451141-402f-436a-bb40-fae58389a104" ], "event.dataset": [ "auditd_manager.auditd" ], "cloud.instance.name": [ "" ], "cloud.project.id": [ "" ] } } ```

And here is the document when running dash -p with suid enabled, you can also see that suid is set to 0, aka root, with a mode of 6755 (in the original message)

``` { "_index": ".ds-logs-auditd_manager.auditd-default-2023.05.24-000001", "_id": "iycptYgB1fhN-eteIsWZ", "_version": 1, "_score": 0, "_source": { "process": { "args": [ "dash", "-p" ], "parent": { "pid": 2380071 }, "name": "dash", "pid": 2380168, "title": "dash -p", "executable": "/usr/bin/dash" }, "agent": { "name": "", "id": "", "ephemeral_id": "", "type": "auditbeat", "version": "8.8.0" }, "elastic_agent": { "id": "b3cfb28b-925f-460e-b025-9bee61092a5e", "version": "8.8.0", "snapshot": false }, "auditd": { "summary": { "actor": { "secondary": "1005", "primary": "1005" }, "how": "/usr/bin/dash", "object": { "type": "file", "primary": "/usr/bin/dash" } }, "result": "success", "data": { "argc": 2, "a1": "55d85d69c970", "a2": "55d85d720450", "syscall": "execve", "exit": "0", "a3": "8", "tty": "pts0", "arch": "x86_64", "a0": "55d85d6719d0" }, "session": "1456", "paths": [ { "item": "0", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "inode": "1593", "mode": "0106755", "cap_fver": "0", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/usr/bin/dash" }, { "item": "1", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "cap_fver": "0", "inode": "4382", "mode": "0100755", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/lib64/ld-linux-x86-64.so.2" } ], "messages": [ "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"", "type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"", "type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70" ], "message_type": "syscall", "user": { "saved": { "id": "0", "group": { "id": "0" } }, "audit": { "id": "1005" }, "selinux": { "user": "unconfined" }, "filesystem": { "id": "0", "group": { "id": "0" } } } }, "tags": [ "susp_shell", "preserve_original_event", "auditd_manager-auditd" ], "cloud": { "availability_zone": "europe-west4-a", "instance": { "name": "", "id": "" }, "provider": "gcp", "service": { "name": "GCE" }, "machine": { "type": "e2-standard-4" }, "project": { "id": "elastic-security-research" }, "region": "europe-west4", "account": { "id": "" } }, "@timestamp": "2023-06-13T14:29:11.525Z", "file": { "inode": "1593", "mode": "0755", "uid": "0", "path": "/usr/bin/dash", "gid": "0", "device": "00:00" }, "ecs": { "version": "8.8.0" }, "service": { "type": "auditd" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "auditd_manager.auditd" }, "host": { "hostname": "", "os": { "kernel": "5.15.0-1034-gcp", "codename": "focal", "name": "Ubuntu", "type": "linux", "family": "debian", "version": "20.04.6 LTS (Focal Fossa)", "platform": "ubuntu" }, "containerized": false, }, "event": { "agent_id_status": "verified", "sequence": 28860764, "ingested": "2023-06-13T14:29:11Z", "original": "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70", "kind": "event", "module": "auditd", "action": "executed", "type": [ "start" ], "category": [ "process" ], "dataset": "auditd_manager.auditd", "outcome": "success" }, "user": { "effective": { "id": "0", "group": { "id": "0" } }, "id": "1005", "group": { "id": "1006" } } }, "fields": { "file.mode": [ "0755" ], "file.path": [ "/usr/bin/dash" ], "elastic_agent.version": [ "8.8.0" ], "event.category": [ "process" ], "process.name.text": [ "dash" ], "auditd.user.saved.id": [ "0" ], "process.parent.pid": [ 2380071 ], "auditd.message_type": [ "syscall" ] "process.pid": [ 2380168 ], "host.mac": [ "02-42-19-91-5B-16", "02-42-65-CE-47-9F", "42-01-0A-A4-00-07" ], "cloud.availability_zone": [ "europe-west4-a" ], "process.title.text": [ "dash -p" ], "auditd.data.exit": [ "0" ], "service.type": [ "auditd" ], "auditd.user.audit.id": [ "1005" ], "host.os.version": [ "20.04.6 LTS (Focal Fossa)" ], "host.os.name": [ "Ubuntu" ] "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "event.outcome": [ "success" ], "auditd.data.tty": [ "pts0" ], "file.path.text": [ "/usr/bin/dash" ], "event.original": [ "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"\ntype=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"\ntype=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\ntype=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70" ], "cloud.region": [ "europe-west4" ], "user.id": [ "1005" ], "host.os.type": [ "linux" ], "auditd.user.selinux.user": [ "unconfined" ], "auditd.data.a2": [ "55d85d720450" ], "auditd.data.a3": [ "8" ], "auditd.messages": [ "type=SYSCALL msg=audit(1686666551.525:28860764): arch=c000003e syscall=59 success=yes exit=0 a0=55d85d6719d0 a1=55d85d69c970 a2=55d85d720450 a3=8 items=2 ppid=2380071 pid=2380168 auid=1005 uid=1005 gid=1006 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1456 comm=\"dash\" exe=\"/usr/bin/dash\" subj=unconfined key=\"susp_shell\"", "type=EXECVE msg=audit(1686666551.525:28860764): argc=2 a0=\"dash\" a1=\"-p\"", "type=PATH msg=audit(1686666551.525:28860764): item=0 name=\"/usr/bin/dash\" inode=1593 dev=08:01 mode=0106755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PATH msg=audit(1686666551.525:28860764): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=4382 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0", "type=PROCTITLE msg=audit(1686666551.525:28860764): proctitle=64617368002D70" ], "data_stream.type": [ "logs" ], "auditd.result": [ "success" ], "tags": [ "susp_shell", "preserve_original_event", "auditd_manager-auditd" ], "host.architecture": [ "x86_64" ], "process.name": [ "dash" ], "cloud.machine.type": [ "e2-standard-4" ], "cloud.provider": [ "gcp" ], "cloud.service.name": [ "GCE" ], "agent.id": [ "b3cfb28b-925f-460e-b025-9bee61092a5e" ], "auditd.data.a0": [ "55d85d6719d0" ], "file.device": [ "00:00" ], "auditd.summary.object.primary": [ "/usr/bin/dash" ], "auditd.data.a1": [ "55d85d69c970" ], "ecs.version": [ "8.8.0" ], "host.containerized": [ false ], "auditd.summary.actor.primary": [ "1005" ], "agent.version": [ "8.8.0" ], "user.group.id": [ "1006" ], "process.title": [ "dash -p" ], "host.os.family": [ "debian" ], "user.effective.group.id": [ "0" ], "auditd.data.arch": [ "x86_64" ], "file.gid": [ "0" ], "user.effective.id": [ "0" ], "auditd.user.saved.group.id": [ "0" ], "file.uid": [ "0" ], "auditd.user.filesystem.id": [ "0" ], "auditd.paths": [ { "item": "0", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "inode": "1593", "mode": "0106755", "cap_fver": "0", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/usr/bin/dash" }, { "item": "1", "nametype": "NORMAL", "ogid": "0", "cap_fi": "0", "cap_fp": "0", "cap_frootid": "0", "cap_fver": "0", "inode": "4382", "mode": "0100755", "dev": "08:01", "ouid": "0", "rdev": "00:00", "cap_fe": "0", "name": "/lib64/ld-linux-x86-64.so.2" } ], "cloud.instance.id": [ "5819226346140730406" ], "event.sequence": [ 28860764 ], "agent.type": [ "auditbeat" ], "process.executable.text": [ "/usr/bin/dash" ], "auditd.summary.how": [ "/usr/bin/dash" ], "event.module": [ "auditd" ], "host.os.kernel": [ "5.15.0-1034-gcp" ], "file.inode": [ "1593" ], "elastic_agent.snapshot": [ false ], "auditd.data.argc": [ 2 ], "host.id": [ "212700a348f6f2c886f0f22bfcd692fa" ], "process.executable": [ "/usr/bin/dash" ], "auditd.summary.object.type": [ "file" ], "elastic_agent.id": [ "b3cfb28b-925f-460e-b025-9bee61092a5e" ], "data_stream.namespace": [ "default" ], "host.os.codename": [ "focal" ], "process.args": [ "dash", "-p" ], "auditd.data.syscall": [ "execve" ], "auditd.summary.actor.secondary": [ "1005" ], "event.action": [ "executed" ], "event.ingested": [ "2023-06-13T14:29:11.000Z" ], "@timestamp": [ "2023-06-13T14:29:11.525Z" ], "host.os.platform": [ "ubuntu" ], "cloud.account.id": [ "elastic-security-research" ], "event.type": [ "start" ], "auditd.user.filesystem.group.id": [ "0" ] } } ```

andrewkroh added a commit to andrewkroh/go-libaudit that referenced this issue Aug 10, 2023
@andrewkroh
Mask file mode with 0o7777 instead of 0o777
dd57c92 
The file.mode field was only including the permission bits. This expands the mask
to include the SUID, SGID, and sticky bits.

Fixes elastic#137
@andrewkroh andrewkroh mentioned this issue Aug 10, 2023
Merged
@andrewkroh
Copy link
Member

PR: #138

andrewkroh added a commit that referenced this issue Aug 10, 2023
@andrewkroh
Mask file mode with 0o7777 instead of 0o777 (#138)
279b1e8 
The file.mode field was only including the permission bits. This expands the mask
to include the SUID, SGID, and sticky bits.

Fixes #137
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Aegrah Aegrah

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Mask file mode with 0o7777 instead of 0o777 andrewkroh/go-libaudit
2 participants
@andrewkroh @Aegrah