Preserve auditd.log.record_type (elastic#10829)

nicholasberlin · web-flow · commit 47736eb01318 · 2024-08-22T14:14:06.000-04:00
* Preserve auditd.log.record_type

Rather than renaming `auditd.log.record_type` to `event.action`
and silently failing if `event.action` was pre-existing, set
`event.action` with a copy of `auditd.log.record_type` if `event.type`
is emtpy. This will preserve `auditd.log.record_type` if `event.type`
is empty.
diff --git a/packages/auditd/changelog.yml b/packages/auditd/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.20.1"
+  changes:
+    - description: "Preserve auditd.log.record_type and fallback to auditd.log.SYSCALL"
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10829
 - version: "3.20.0"
   changes:
     - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log
@@ -1,3 +1,4 @@
 type=SOCKADDR msg=audit(1666825569.818:23260118): saddr=02000000000000000000000000000000SADDR={ saddr_fam=inet laddr=0.0.0.0 lport=0 }
 type=SOCKADDR msg=audit(1666825569.435:23260106): saddr=0A00DE9900000000000000000000000000002a02cf40000000000000SADDR={ saddr_fam=inet6 laddr=2a02:cf40:: lport=56985 }
 type=SOCKADDR msg=audit(1666825568.865:23260105): saddr=0100SADDR={ saddr_fam=local sockaddr len too short }
+node=praorem001 type=SYSCALL msg=audit(1723109482.048:4981103): arch=c000003e syscall=87 success=yes exit=0 a0=7f1118081d10 a1=7f1118081d10 a2=242 a3=180 items=2 ppid=560201 pid=560348 auid=1561577791 uid=2012 gid=2007 euid=2012 suid=2012 fsuid=2012 egid=2007 sgid=2007 fsgid=2007 tty=(none) ses=126 comm="httpd" exe="/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd" key="delete"ARCH=x86_64 SYSCALL=unlink AUID="na-uoradbdba03" UID="dllogc" GID="oinstall" EUID="dllogc" SUID="dllogc" FSUID="dllogc" EGID="oinstall" SGID="oinstall" FSGID="oinstall"
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-enriched.log-expected.json
@@ -7,6 +7,7 @@
                     "laddr": "0.0.0.0",
                     "lport": 0,
                     "original_field": "saddr",
+                    "record_type": "SOCKADDR",
                     "saddr": "02000000000000000000000000000000",
                     "saddr_fam": "inet",
                     "sequence": 23260118
@@ -31,6 +32,7 @@
                     "laddr": "2a02:cf40::",
                     "lport": 56985,
                     "original_field": "saddr",
+                    "record_type": "SOCKADDR",
                     "saddr": "0A00DE9900000000000000000000000000002a02cf40000000000000",
                     "saddr_fam": "inet6",
                     "sequence": 23260106
@@ -53,6 +55,7 @@
             "auditd": {
                 "log": {
                     "original_field": "saddr",
+                    "record_type": "SOCKADDR",
                     "saddr": "0100",
                     "saddr_fam": "local sockaddr len too short",
                     "sequence": 23260105
@@ -69,6 +72,92 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-08-08T09:31:22.048Z",
+            "auditd": {
+                "log": {
+                    "AUID": "na-uoradbdba03",
+                    "EGID": "oinstall",
+                    "EUID": "dllogc",
+                    "FSGID": "oinstall",
+                    "FSUID": "dllogc",
+                    "GID": "oinstall",
+                    "SGID": "oinstall",
+                    "SUID": "dllogc",
+                    "SYSCALL": "unlink",
+                    "UID": "dllogc",
+                    "a0": "7f1118081d10",
+                    "a1": "7f1118081d10",
+                    "a2": "242",
+                    "a3": "180",
+                    "items": "2",
+                    "key": "delete\"\u001dARCH=x86_64",
+                    "node": "praorem001",
+                    "record_type": "SYSCALL",
+                    "sequence": 4981103,
+                    "ses": "126",
+                    "success": true,
+                    "syscall": "87",
+                    "tty": "(none)"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "syscall",
+                "category": [
+                    "process"
+                ],
+                "kind": "event",
+                "original": "node=praorem001 type=SYSCALL msg=audit(1723109482.048:4981103): arch=c000003e syscall=87 success=yes exit=0 a0=7f1118081d10 a1=7f1118081d10 a2=242 a3=180 items=2 ppid=560201 pid=560348 auid=1561577791 uid=2012 gid=2007 euid=2012 suid=2012 fsuid=2012 egid=2007 sgid=2007 fsgid=2007 tty=(none) ses=126 comm=\"httpd\" exe=\"/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd\" key=\"delete\"\u001dARCH=x86_64 SYSCALL=unlink AUID=\"na-uoradbdba03\" UID=\"dllogc\" GID=\"oinstall\" EUID=\"dllogc\" SUID=\"dllogc\" FSUID=\"dllogc\" EGID=\"oinstall\" SGID=\"oinstall\" FSGID=\"oinstall\"",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "architecture": "x86_64"
+            },
+            "process": {
+                "executable": "/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd",
+                "exit_code": 0,
+                "name": "httpd",
+                "parent": {
+                    "pid": 560201
+                },
+                "pid": 560348
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "audit": {
+                    "id": "1561577791"
+                },
+                "effective": {
+                    "group": {
+                        "id": "2007"
+                    },
+                    "id": "2012"
+                },
+                "filesystem": {
+                    "group": {
+                        "id": "2007"
+                    },
+                    "id": "2012"
+                },
+                "group": {
+                    "id": "2007"
+                },
+                "id": "2012",
+                "saved": {
+                    "group": {
+                        "id": "2007"
+                    },
+                    "id": "2012"
+                }
+            }
         }
     ]
 }
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json
@@ -6,6 +6,7 @@
                 "log": {
                     "dst_prefixlen": 16,
                     "op": "SPD-delete",
+                    "record_type": "MAC_IPSEC_EVENT",
                     "sequence": 18877201,
                     "ses": "4294967295",
                     "src_prefixlen": 24
@@ -42,6 +43,7 @@
                 "log": {
                     "a0": "9",
                     "items": "0",
+                    "record_type": "SYSCALL",
                     "sequence": 18877199,
                     "ses": "4294967295",
                     "success": true,
@@ -271,6 +273,7 @@
             "auditd": {
                 "log": {
                     "proctitle": "bash",
+                    "record_type": "PROCTITLE",
                     "sequence": 194438
                 }
             },
@@ -291,6 +294,7 @@
             "auditd": {
                 "log": {
                     "proctitle": "sshd: burn [priv]",
+                    "record_type": "PROCTITLE",
                     "sequence": 194440
                 }
             },
@@ -433,6 +437,7 @@
             "@timestamp": "2020-02-10T21:59:44.206Z",
             "auditd": {
                 "log": {
+                    "record_type": "EXECVE",
                     "sequence": 579393
                 }
             },
@@ -1782,6 +1787,7 @@
             "@timestamp": "2016-12-07T02:20:31.371Z",
             "auditd": {
                 "log": {
+                    "record_type": "CWD",
                     "sequence": 479
                 }
             },
@@ -1812,6 +1818,7 @@
                     "obj": "system_u:object_r:auditctl_exec_t:s0",
                     "objtype": "NORMAL",
                     "rdev": "00:00",
+                    "record_type": "PATH",
                     "sequence": 479
                 }
             },
@@ -1837,7 +1844,9 @@
         },
         {
             "auditd": {
-                "log": {}
+                "log": {
+                    "record_type": "UNKNOWN[1329]"
+                }
             },
             "ecs": {
                 "version": "8.11.0"
@@ -1866,6 +1875,7 @@
                     "old_pe": "0000000000000000",
                     "old_pi": "0000000000000000",
                     "old_pp": "0000000000000000",
+                    "record_type": "BPRM_FCAPS",
                     "sequence": 529
                 }
             },
@@ -1885,6 +1895,7 @@
             "@timestamp": "2016-12-07T02:40:24.953Z",
             "auditd": {
                 "log": {
+                    "record_type": "SOCKADDR",
                     "saddr": "02000050A9FEA9FE0000000000000000",
                     "sequence": 688
                 }
@@ -1905,6 +1916,7 @@
             "@timestamp": "2016-12-07T02:42:33.346Z",
             "auditd": {
                 "log": {
+                    "record_type": "CKADDR",
                     "saddr": "02000050A9FEA9FE0000000000000000",
                     "sequence": 737
                 }
@@ -2054,6 +2066,7 @@
                     },
                     "capability": "3",
                     "permissive": "1",
+                    "record_type": "AVC",
                     "scontext": "system_u:system_r:syslogd_t:s0",
                     "sequence": 105992,
                     "tclass": "capability",
@@ -2088,6 +2101,7 @@
                     "dev": "dm-0",
                     "ino": "188999",
                     "name": "c73a516004b572d8c845c74c49b2511d:runtime.tmp",
+                    "record_type": "AVC",
                     "scontext": "test_u:staff_r:oddjob_mkhomedir_t:s0",
                     "sequence": 101,
                     "tclass": "lnk_file",
@@ -2168,6 +2182,7 @@
                     "dev": "dm-0",
                     "ino": "402139",
                     "path": "/usr/move_file/move_file_c",
+                    "record_type": "AVC",
                     "scontext": "unconfined_u:unconfined_r:unconfined_t",
                     "sequence": 311,
                     "tclass": "process",
diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-truncated-execve.log-expected.json
@@ -4,6 +4,7 @@
             "@timestamp": "2022-01-24T12:01:08.518Z",
             "auditd": {
                 "log": {
+                    "record_type": "EXECVE",
                     "sequence": 5009988
                 }
             },
@@ -32,6 +33,7 @@
             "@timestamp": "2022-01-24T12:01:08.518Z",
             "auditd": {
                 "log": {
+                    "record_type": "EXECVE",
                     "sequence": 5009988
                 }
             },
@@ -127,6 +129,7 @@
             "@timestamp": "2022-01-24T12:01:08.518Z",
             "auditd": {
                 "log": {
+                    "record_type": "EXECVE",
                     "sequence": 5009988
                 }
             },
@@ -222,6 +225,7 @@
             "@timestamp": "2022-02-08T12:31:02.830Z",
             "auditd": {
                 "log": {
+                    "record_type": "EXECVE",
                     "sequence": 9381969
                 }
             },
diff --git a/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -2265,10 +2265,10 @@ processors:
         - append:
             field: error.message
             value: "failed extracting process arguments: {{{ _ingest.on_failure_message }}}"
-  - rename:
-      ignore_failure: true
-      field: auditd.log.record_type
-      target_field: event.action
+  - set:
+      field: event.action
+      copy_from: auditd.log.record_type
+      override: false
   - lowercase:
       ignore_failure: true
       field: event.action
diff --git a/packages/auditd/data_stream/log/fields/fields.yml b/packages/auditd/data_stream/log/fields/fields.yml
@@ -36,6 +36,18 @@
       type: keyword
       description: |
         The first argument to the system call.
+    - name: a1
+      type: keyword
+      description: |
+        The second argument to the system call.
+    - name: a2
+      type: keyword
+      description: |
+        The third argument to the system call.
+    - name: a3
+      type: keyword
+      description: |
+        The fourth argument to the system call.
     - name: addr
       type: ip
     - name: avc.action
@@ -90,6 +102,9 @@
       type: keyword
     - name: kernel
       type: keyword
+    - name: key
+      type: keyword
+      description: Records the user defined string associated with a rule that generated a particular event in the Audit log.
     - name: key_enforce
       type: boolean
     - name: img-ctx
@@ -213,3 +228,28 @@
       type: keyword
     - name: xdevice
       type: keyword
+
+# log_format = ENRICHED fields
+    - name: ARCH
+      type: keyword
+    - name: AUID
+      type: keyword
+    - name: EGID
+      type: keyword
+    - name: EUID
+      type: keyword
+    - name: FSGID
+      type: keyword
+    - name: FSUID
+      type: keyword
+    - name: GID
+      type: keyword
+    - name: SGID
+      type: keyword
+    - name: SUID
+      type: keyword
+    - name: SYSCALL
+      type: keyword
+    - name: UID
+      type: keyword
+    
diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md
@@ -91,7 +91,21 @@ An example event for `log` looks as following:
 | Field | Description | Type |
 |---|---|---|
 | @timestamp | Event timestamp. | date |
+| auditd.log.ARCH |  | keyword |
+| auditd.log.AUID |  | keyword |
+| auditd.log.EGID |  | keyword |
+| auditd.log.EUID |  | keyword |
+| auditd.log.FSGID |  | keyword |
+| auditd.log.FSUID |  | keyword |
+| auditd.log.GID |  | keyword |
+| auditd.log.SGID |  | keyword |
+| auditd.log.SUID |  | keyword |
+| auditd.log.SYSCALL |  | keyword |
+| auditd.log.UID |  | keyword |
 | auditd.log.a0 | The first argument to the system call. | keyword |
+| auditd.log.a1 | The second argument to the system call. | keyword |
+| auditd.log.a2 | The third argument to the system call. | keyword |
+| auditd.log.a3 | The fourth argument to the system call. | keyword |
 | auditd.log.addr |  | ip |
 | auditd.log.audit_failure |  | keyword |
 | auditd.log.avc.action |  | keyword |
@@ -120,6 +134,7 @@ An example event for `log` looks as following:
 | auditd.log.item | The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. | keyword |
 | auditd.log.items | The number of items in an event. | keyword |
 | auditd.log.kernel |  | keyword |
+| auditd.log.key | Records the user defined string associated with a rule that generated a particular event in the Audit log. | keyword |
 | auditd.log.key_enforce |  | boolean |
 | auditd.log.kind |  | keyword |
 | auditd.log.ksize |  | long |
diff --git a/packages/auditd/manifest.yml b/packages/auditd/manifest.yml
@@ -1,6 +1,6 @@
 name: auditd
 title: Auditd Logs
-version: "3.20.0"
+version: "3.20.1"
 description: Collect logs from Linux audit daemon with Elastic Agent.
 type: integration
 icons:

-Original file line number
+Diff line change
@@ @@ -1,3 +1,4 @@ @@
 type=SOCKADDR msg=audit(1666825569.818:23260118): saddr=02000000000000000000000000000000SADDR={ saddr_fam=inet laddr=0.0.0.0 lport=0 }
 type=SOCKADDR msg=audit(1666825569.435:23260106): saddr=0A00DE9900000000000000000000000000002a02cf40000000000000SADDR={ saddr_fam=inet6 laddr=2a02:cf40:: lport=56985 }
 type=SOCKADDR msg=audit(1666825568.865:23260105): saddr=0100SADDR={ saddr_fam=local sockaddr len too short }
 +node=praorem001 type=SYSCALL msg=audit(1723109482.048:4981103): arch=c000003e syscall=87 success=yes exit=0 a0=7f1118081d10 a1=7f1118081d10 a2=242 a3=180 items=2 ppid=560201 pid=560348 auid=1561577791 uid=2012 gid=2007 euid=2012 suid=2012 fsuid=2012 egid=2007 sgid=2007 fsgid=2007 tty=(none) ses=126 comm="httpd" exe="/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd" key="delete"ARCH=x86_64 SYSCALL=unlink AUID="na-uoradbdba03" UID="dllogc" GID="oinstall" EUID="dllogc" SUID="dllogc" FSUID="dllogc" EGID="oinstall" SGID="oinstall" FSGID="oinstall"