The openbsm module

The openbsm module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a binary string, of type bstr) and return a refined Orchids events, with additional fields. Typically, the openbsm module is meant to dissect raw data coming from the udp module, parsing it as an OpenBSM record.

Configuration options

None.

Fields

OpenBSM records consist of a header, a list of tokens, and a trailer. Each contains one or several fields. The Orchids events returned by the openbsm module are a complete list of fields appearing in an OpenBSM record.

OPENBSM_OTHER_FILE32 header

Although OpenBSM defines 5 kinds of headers, the first four really are variants of each other. We start with OpenBSM records that have an OPENBSM_OTHER_FILE32 header (all constants are defined in $OCONF/rules/openbsm.h; the constant OPENBSM_OTHER_FILE32 is called AUT_OTHER_FILE32 in the OpenBSM specification). These merely specify a file name:

Field Type Mono? Description
.openbsm.kind uint header kind (=OPENBSM_OTHER_FILE32 here)
.openbsm.time timeval time
.openbsm.file str file name

OPENBSM_HEADER{32,64}(_EX)? headers

The usual OpenBSM records have a .openbsm.kind field taken among OPENBSM_HEADER32, OPENBSM_HEADER32_EX, OPENBSM_HEADER64, or OPENBSM_HEADER64_EX. (Those correspond to AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, and AUT_HEADER64_EX respectively in the OpenBSM specification.)

The OPENBSM_HEADER{32,64}_EX headers have an extra IP address field .openbsm.ip. This is always returned as an ipv6 value, even when the IP address is an IPv4 address. (Every IPv4 address embeds as an IPv6 address.)

The contents of the header will then be found under the following Orchids fields:

Field Type Mono? Description
.openbsm.kind uint header kind
(anything but OPENBSM_OTHER_FILE32 here)
.openbsm.version uint version
.openbsm.type uint type
.openbsm.modifier uint modifier
.openbsm.time timeval time
.openbsm.ip ipv6 IP address
(if .openbsm.kind is of the form OPENBSM_HEADER{32,64}_EX)

Additional fields are provided, depending on the tokens present in the OpenBSM record. They are listed by token sort now.

  • AUT_ARG32, AUT_ARG64 tokens:
    There are at most 128 of these. Each one has a name and a value. There is no field starting how many arguments are present.

    Field Type Mono? Description
    .openbsm.argname1 str argument name 1
    .openbsm.arg1 uint argument value 1
    .openbsm.argname2 str argument name 2
    .openbsm.arg2 uint argument value 2
    .openbsm.argname128 str argument name 128
    .openbsm.arg128 uint argument value 128
  • AUT_DATA tokens:
    Arrays of 1, 2, 4 or 8-byte numbers, with formatting instructions. Since Orchids does not have arrays, and AUT_DATA tokens are meant to be printed anyway, such tokens are rendered as strings. E.g., a AUT_DATA token with two 1-byte entries (say, 7 and 11), specified to be printed in hex, would yield the Orchids string "0x7 0xb".

    Field Type Mono? Description
    .openbsm.data str raw data, printed as a string
  • AUT_ATTR32, AUT_ATTR64 tokens:
    Specifies file attributes.

    Field Type Mono? Description
    .openbsm.file_access_mode uint file access mode
    .openbsm.owner_uid uint owner user id
    .openbsm.owner_gid uint owner group id
    .openbsm.fsid uint file system id
    .openbsm.nid uint node id
    .openbsm.dev uint device id
  • AUT_EXIT token:
    Field Type Mono? Description
    .openbsm.exit_status uint exit status
    .openbsm.exit_value uint exit return value
  • AUT_EXEC_ARGS token:
    Arguments passed to execve() and related syscalls.
    There are at most 128 of these. The .openbsm.execarg_num field states how much there are.

    Field Type Mono? Description
    .bsm.execarg_num uint number of arguments to execve()
    .openbsm.execarg1 uint exec argument value 1
    .openbsm.execarg2 uint exec argument value 2
    .openbsm.execarg128 uint exec argument value 128
  • AUT_EXEC_ENV token:
    Environment variables passed to execve() and related syscalls.
    There are at most 128 of these. The .openbsm.execarg_num field states how much there are.

    Field Type Mono? Description
    .bsm.execarg_num uint number of arguments to execve()
    .openbsm.arg1 str exec environment variable 1
    .openbsm.arg2 str exec environment variable 2
    .openbsm.arg128 str exec environment variable 128
  • AUT_NEWGROUPS token:
    New groups created.  There are at most 16 of these. The .openbsm.newgroups_num field states how much there are.

    Field Type Mono? Description
    .bsm.newgroups_num uint number of new groups
    .openbsm.newgroup1 uint new group number 1
    .openbsm.newgroup2 uint new group number 2
    .openbsm.newgroup16 uint new group number 16
  • AUT_IN_ADDR token:
    IPv4 address.

    Field Type Mono? Description
    .openbsm.inaddr ipv4 IPv4 address
  • AUT_IN_ADDR_EX token:
    IPv4 or IPv6 address.

    Field Type Mono? Description
    .openbsm.inaddr6 ipv6 IPv6 address, or IPv4 address encoded as IPv6
  • AUT_IP token:
    Internet Protocol (IP) header contents.

    Field Type Mono? Description
    .openbsm.ip_version uint version
    .openbsm.ip_tos uint type of service
    .openbsm.ip_len uint length
    .openbsm.ip_id uint identifier
    .openbsm.ip_offset uint offset
    .openbsm.ip_ttl uint time to live
    .openbsm.ip_protocol uint protocol
    .openbsm.ip_checksum uint checksum
    .openbsm.ip_source ipv4 source address
    .openbsm.ip_dest ipv4 destination address
  • AUT_IPC token:
    Inter-process communication info.

    Field Type Mono? Description
    .openbsm.ipc_type uint object type
    .openbsm.ipc_id uint object identifier
  • AUT_IPC_PERM token:
    Inter-process communication permission info.

    Field Type Mono? Description
    .openbsm.ipcperm_uid uint owner user id
    .openbsm.ipcperm_gid uint owner group id
    .openbsm.ipcperm_puid uint creator user id
    .openbsm.ipcperm_pgid uint creator group id
    .openbsm.ipcperm_mode uint access mode
    .openbsm.ipcperm_seq uint slot sequence number
    .openbsm.ipcperm_key uint key
  • AUT_IPORT token:
    IP port.

    Field Type Mono? Description
    .openbsm.iport uint IP port
  • AUT_OPAQUE token:
    Opaque data. There is no way to do anything sensible with such data, I’m afraid, except pass it on.

    Field Type Mono? Description
    .openbsm.opaque bstr opaque data
  • AUT_PATH token:
    Specifies a file or directory name passed as an argument to a command or system call.

    Field Type Mono? Description
    .openbsm.path str file or directory name
  • AUT_PROCESS{32,64}(_EX)? tokens:
    A process and its various user and group ids.

    Field Type Mono? Description
    .openbsm.proc_auid uint audit id
    .openbsm.proc_euid uint effective user id
    .openbsm.proc_egid uint effective group id
    .openbsm.proc_ruid uint real user id
    .openbsm.proc_rgid uint real group id
    .openbsm.proc_pid uint process id
    .openbsm.proc_sid uint session id
    .openbsm.proc_port uint port id
    .openbsm.proc_addr ipv6 machine id, as an IPv6 (or IPv4, encoded as IPv6) address
  • AUT_SUBJECT{32,64}(_EX)? tokens:
    A subject, with all its various user and group ids.

    Field Type Mono? Description
    .openbsm.subj_auid uint audit id
    .openbsm.subj_euid uint effective user id
    .openbsm.subj_egid uint effective group id
    .openbsm.subj_ruid uint real user id
    .openbsm.subj_rgid uint real group id
    .openbsm.subj_pid uint process id
    .openbsm.subj_sid uint session id
    .openbsm.subj_port uint port id
    .openbsm.subj_addr ipv6 machine id, as an IPv6 (or IPv4, encoded as IPv6) address
  • AUT_RETURN{32,64} tokens:
    Return codes.

    Field Type Mono? Description
    .openbsm.return_status uint return status
    .openbsm.return_value uint return value
  • AUT_SEQ token:
    Sequence number.

    Field Type Mono? Description
    .openbsm.seqno uint sequence number
  • AUT_SOCKINET{32,128} tokens:
    Internet socket (IPv4, resp. IPv6). The .openbsm.sock_family field is shared with the AUT_SOCKUNIX token.

    Field Type Mono? Description
    .openbsm.sock_family uint socket family
    .openbsm.sock_port uint socket local port
    .openbsm.sock_addr ipv6 socket address
  • AUT_SOCKUNIX token:
    Unix (local) socket. The .openbsm.sock_family field is shared with the AUT_SOCKINT{32,128} tokens.

    Field Type Mono? Description
    .openbsm.sock_family uint socket family
    .openbsm.sock_path str name of the socket, as a local file
  • AUT_SOCKET, AUT_SOCKET_EX tokens:
    Socket. The .openbsm.socket_domain is only present for AUT_SOCKET_EX tokens.

    Field Type Mono? Description
    .openbsm.socket_domain uint domain (optional)
    .openbsm.socket_type uint type
    .openbsm.socket_lport uint local port
    .openbsm.socket_laddr ipv6 IPv6 (or IPv4 encoded as IPv6) local address
    .openbsm.socket_rport uint remote port
    .openbsm.socket_raddr ipv6 IPv6 (or IPv4 encoded as IPv6) remote address
  • AUT_TEXT token:
    Text message.

    Field Type Mono? Description
    .openbsm.text str text string
  • AUT_ZONENAME token:
    Zone name.

    Field Type Mono? Description
    .openbsm.zonename str zone name