This program is a plugin for Linux Audit user space programs available at http://people.redhat.com/sgrubb/audit/. It uses the audisp multiplexer.
Audisp-json correlates messages coming from the kernel's audit (and through audisp) into a single JSON message that is sent directly to a log server (it doesn't use syslog). The JSON format used is MozDef message format.
Regular audit log messages and audisp-json error, info messages still use syslog.
Due to the ring buffer filling up when the front-end HTTP server does not process fast enough, the program may slowly grow in memory for a while on busy systems. It'll stop at 512 messages (hard-coded) buffered.
+-----------+ +------------+
| | Netlink | |
| kernel +------------> auditd |
| | | |
+-----------+ +------+-----+
| +------------+ +--------------+
pipe | | | HTTP(S) | |
| +------> audisp-json+------------>+ MozDef JSON |
+------v-----+ | | | | |
| | | +------------+ +--------------+
| audispd +---+
| | pipe
+---------+--+ +------------+
| | |
+-------------> Other |
pipe | plugins |
+------------+
Required dependencies:
- Audit (2.0+)
- libtool
- libcurl
For package building:
- FPM
- rpmbuild (rpm)
They're self explanatory.
- make
- make rpm
- make deb
- make install
- make uninstall
- make clean
- make rpm-deps # builds deps for amazonlinux, centos, etc.
Note that packaging targets (like make rpm) will package an example rule file, but not use it by default. You can move
it where needed manually.
Example to build for CentOS:
docker run --rm -ti -v $(pwd):/build centos:7 /bin/bash -c "yum install -y make && cd /build && make rpm-deps && make
rpm"
Or for AmazonLinux:
docker run --rm -ti -v $(pwd):/build amazonlinux /bin/bash -c "yum install -y make && cd /build && make rpm-deps && make
rpm"
Or for Ubuntu:
docker run --rm -ti -v $(pwd):/build ubuntu:14.04 /bin/bash -c "apt-get update && apt-get -y install build-essential && cd /build && make deb-deps && make deb"
We previously used audisp-cef, so we would want to mark that package as obsolete.
- make rpm FPMOPTS="--replaces audisp-cef"
- make deb FPMOPTS="--replaces audisp-cef"
These examples filter out messages that may clutter your log or/and DOS yourself (high I/O) if auditd goes down for any reason.
#Drop native audit messages from the kernel (may happen is auditd dies, and may kill the system otherwise)
:msg, regex, "type=[0-9]* audit" ~
#Drop audit sid msg (work-around until RH fixes the kernel - should be fixed in RHEL7 and recent RHEL6)
:msg, contains, "error converting sid to string" ~
source s_syslog { unix-dgram("/dev/log"); };
filter f_not_auditd { not message("type=[0-9]* audit") or not message("error converting sid to string"); };
log{ source(s_syslog);f ilter(f_not_auditd); destination(d_logserver); };
- It is suggested to bump the audispd queue to adjust for extremely busy systems, for ex.
q_depth=512. - You will also probably need to bump the kernel-side buffer and change the rate limit in audit.rules, for ex.
-b 16384 -r 500.
Syscalls are interpreted by audisp-json and transformed into a MozDef JSON message. This means, for example, all execve() and related calls will be aggregated into a message of type EXECVE.
NOTE: MozDef messages are not sent to syslog. They're sent to MozDef directly.
Supported messages are listed in the document messages_format.md
The audisp-json.conf file has a few options:
mozdef_urlAny server supporting JSON MozDef messagesssl_verifyYes or no. Only use no for testing purposes.curl_verboseEnables curl verbose mode for debugging. start audisp-json in the foreground to see messages.curl_logfilePath to a file to log curl debug messages to. Most useful with curl_verbose also set. Otherwise, message go to stderr.curl_cainfoSpecify the path to a single CA certificate, if needed. When not specified, system's CA bundle is used.file_logSpecify a file path to log the json data to. This disables mozdef logging.prepend_msgSpecific a string to prepend all messages with. For example, for Fluentd you might wantprepend_msg={"message":.postpend_msgSimilar toprepend_msgbut for postpending the messages. To complement the previous example you would usepostpend_msg=}.
If you need to compile in statically compiled libraries, here are the variables to change from the makefile, using libcurl and openssl statically compiled as an example.
@@ -48,9 +48,11 @@ else ifeq ($(DEBUG),1)
else
CFLAGS := -fPIE -DPIE -g -O2 -D_REENTRANT -D_GNU_SOURCE -fstack-protector-all -D_FORTIFY_SOURCE=2
endif
+CFLAGS := -g -O2 -D_REENTRANT -D_GNU_SOURCE -fstack-protector-all -D_FORTIFY_SOURCE=2
-LDFLAGS := -pie -Wl,-z,relro
-LIBS := -lauparse -laudit `curl-config --libs`
+#LDFLAGS := -pie -Wl,-z,relro -static
+LDFLAGS := -static -ldl -lz -lrt
+LIBS := -lauparse -laudit $(pkg-config --static --libs libssl libcurl)
./path-to-libcurl/lib/.libs/libcurl.a ./path-to-openssl/libssl.a
./path-to-openssl/libcrypto.a -lpthread
DEFINES := -DPROGRAM_VERSION\=${VERSION} ${REORDER_HACKF} ${IGNORE_EMPTY_EXECVE_COMMANDF}
GCC := gcc
To compile libcurl in this example:
./configure --disable-shared --enable-static --prefix=/tmp/curl --disable-ldap --disable-sspi --without-librtmp --disable-ftp --disable-file --disable-dict --disable-telnet --disable-tftp --disable-
tsp --disable-pop3 --disable-imap --disable-smtp --disable-gopher --disable-smb --without-libidn --with-ssl --without-libssh2 --without-nghttp2 --without-libpsl
NOTE: Any library you enable will need to be available as a static library as well.
NOTE2: New libraries may be needed when using newer versions of libcurl and openssl so your mileage may vary.