The auditd module | The Orchids IDS

The auditd module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a string) and return a refined Orchids events, with additional fields. Typically, the auditd module is meant to dissect text coming from the textfile or bintotext modules, parsing it as an auditd record.

Configuration options

None.

Admissible event sources (on Linux systems) are:

a text file such as /var/log/audit/audit.log, read through the textfile module (offline detection);
a TCP Unix socket such as /var/run/audispd_events, read through the textfile module (detection from an online, local feed); the name of the socket is specified in the audispd configuration file /etc/audisp/plugins.d/af_unix.conf;
a UDP Internet socket, read through the the udp and bintotext modules (for remote feeds, using /sbin/audisp-remote).

Fields

The auditd module only parses some of the fields of an auditd record. This is mostly geared towards reporting system calls only, but it also reports some other kinds of events, see below.

Field	Type	Mono?	Description
`.auditd.node`	`str`		reporting host name; used with audisp-remote
`.auditd.type`	`str`	✓	type of event (`SYSCALL`, `PATH`, or other)
`.auditd.time`	`timeval`	✓	reporting time
`.auditd.serial`	`uint`	✓	event serial number
If `.auditd.type=="SYSCALL"`:
`.auditd.arch`	`uint`		Elf architecture flags
`.auditd.syscall`	`uint`		syscall number
`.auditd.per`	`uint`		personality (optional)
`.auditd.success`	`str`		syscall success
`.auditd.exit`	`uint`		exit value
`.auditd.a0`	`uint`		syscall argument 0
`.auditd.a1`	`uint`		syscall argument 1
…	…		…
`.auditd.a127`	`uint`		syscall argument 127
`.auditd.items`	`uint`		number of path records in the event
`.auditd.ppid`	`uint`		parent pid
`.auditd.pid`	`uint`		process id
`.auditd.auid`	`uint`		process auid
`.auditd.uid`	`uint`		user id
`.auditd.gid`	`uint`		group id
`.auditd.euid`	`uint`		effective user id
`.auditd.suid`	`uint`		set user id
`.auditd.fsuid`	`uint`		file system user id
`.auditd.egid`	`uint`		effective group id
`.auditd.sgid`	`uint`		set group id
`.auditd.fsgid`	`uint`		file system group id
`.auditd.tty`	`str`		tty interface
`.auditd.ses`	`uint`		user’s SE Linux user account
`.auditd.comm`	`str`		command line program name
`.auditd.exe`	`str`		executable name
`.auditd.subj`	`str`		lspp subject’s context string
`.auditd.key`	`str`		tty interface
If `.auditd.type=="PATH"`:
`.auditd.item`	`uint`		item
`.auditd.name`	`uint`		the file name
`.auditd.inode`	`uint`		inode number
`.auditd.mode`	`uint`		mode
`.auditd.dev`	`uint`		device (64*major+minor)
`.auditd.ouid`	`uint`		originator uid (beware, also object uid, see below)
`.auditd.ogid`	`uint`		originator gid
`.auditd.rdev`	`uint`		real device (64*major+minor)
`.auditd.nametype`	`str`		nametype, may be “`PARENT`” or “`NORMAL`“
If `.auditd.type=="CWD"`:
`.auditd.cwd`	`str`		the current working directory
If `.auditd.type=="PROCTITLE"`:
`.auditd.proctitle`	`str`		process title or identifier
If `.auditd.type=="EXECVE"`:
`.auditd.argc`	`uint`		number of arguments to execve, e.g., 3 for “tail” “-f” “audit.log”
`.auditd.s0`	`str`		execve argument 0
`.auditd.s1`	`str`		execve argument 1
…	…		…
`.auditd.s127`	`str`		execve argument 127
If `.auditd.type=="ANOM_ABEND"`:
`.auditd.auid`	`uint`		process auid
`.auditd.uid`	`uint`		user id
`.auditd.gid`	`uint`		group id
`.auditd.ses`	`uint`		user’s SE Linux user account
`.auditd.pid`	`uint`		process id
`.auditd.comm`	`str`		command line program name
`.auditd.exe`	`str`		executable name
`.auditd.sig`	`uint`		signal number
If `.auditd.type=="OBJ_PID"`:
`.auditd.opid`	`uint`		object pid
`.auditd.oauid`	`uint`		object audit user id
`.auditd.ouid`	`uint`		object user id (beware: also originator uid, see above)
`.auditd.oses`	`uint`		object session number
`.auditd.obj`	`str`		object reference
`.auditd.ocomm`	`str`		object command