The auditd module

The auditd module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a string) and return a refined Orchids events, with additional fields. Typically, the auditd module is meant to dissect text coming from the textfile or bintotext modules, parsing it as an auditd record.

Configuration options

None.

Admissible event sources (on Linux systems) are:

  • a text file such as /var/log/audit/audit.log, read through the textfile module (offline detection);
  • a TCP Unix socket such as /var/run/audispd_events, read through the textfile module (detection from an online, local feed); the name of the socket is specified in the audispd configuration file /etc/audisp/plugins.d/af_unix.conf;
  • a UDP Internet socket, read through the the udp and bintotext modules (for remote feeds, using /sbin/audisp-remote).

Fields

The auditd module only parses some of the fields of an auditd record. This is mostly geared towards reporting system calls only, but it also reports some other kinds of events, see below.

Field Type Mono? Description
.auditd.node str reporting host name; used with audisp-remote
.auditd.type str type of event (SYSCALL, PATH, or other)
.auditd.time timeval reporting time
.auditd.serial uint event serial number
If .auditd.type=="SYSCALL":
.auditd.arch uint Elf architecture flags
.auditd.syscall uint syscall number
.auditd.per uint personality (optional)
.auditd.success str syscall success
.auditd.exit uint exit value
.auditd.a0 uint syscall argument 0
.auditd.a1 uint syscall argument 1
 …  …
.auditd.a127 uint syscall argument 127
.auditd.items uint number of path records in the event
.auditd.ppid uint parent pid
.auditd.pid uint process id
.auditd.auid uint process auid
.auditd.uid uint user id
.auditd.gid uint group id
.auditd.euid uint effective user id
.auditd.suid uint set user id
.auditd.fsuid uint file system user id
.auditd.egid uint effective group id
.auditd.sgid uint set group id
.auditd.fsgid uint file system group id
.auditd.tty str tty interface
.auditd.ses uint user’s SE Linux user account
.auditd.comm str command line program name
.auditd.exe str executable name
.auditd.subj str lspp subject’s context string
.auditd.key str tty interface
If .auditd.type=="PATH":
.auditd.item uint item
.auditd.name uint the file name
.auditd.inode uint inode number
.auditd.mode uint mode
.auditd.dev uint device (64*major+minor)
.auditd.ouid uint originator uid (beware, also object uid, see below)
.auditd.ogid uint originator gid
.auditd.rdev uint real device (64*major+minor)
.auditd.nametype str nametype, may be “PARENT” or “NORMAL
If .auditd.type=="CWD":
.auditd.cwd str the current working directory
If .auditd.type=="PROCTITLE":
.auditd.proctitle str process title or identifier
If .auditd.type=="EXECVE":
.auditd.argc uint number of arguments to execve, e.g., 3 for “tail” “-f” “audit.log”
.auditd.s0 str execve argument 0
.auditd.s1 str execve argument 1
 …  …
.auditd.s127 str execve argument 127
If .auditd.type=="ANOM_ABEND":
.auditd.auid uint process auid
.auditd.uid uint user id
.auditd.gid uint group id
.auditd.ses uint user’s SE Linux user account
.auditd.pid uint process id
.auditd.comm str command line program name
.auditd.exe str executable name
.auditd.sig uint signal number
If .auditd.type=="OBJ_PID":
.auditd.opid uint object pid
.auditd.oauid uint object audit user id
.auditd.ouid uint object user id (beware: also originator uid, see above)
.auditd.oses uint object session number
.auditd.obj str object reference
.auditd.ocomm str object command