audito-maldito is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in (e.g., what programs they executed).
audito-maldito monitors OpenSSH logins and then attempts to correlate authenticated user sessions with Linux kernel audit sessions. Once an audit session has been identified, new audito-maldito events are generated each time the Linux audit session receives a new event. This allows the application to tie an OpenSSH user's identity to their Linux audit session. For example, if a user authenticates using an SSH certificate, certificate details like the fingerprint and key ID will appear in each resulting audito-maldito audit event. These resulting events are written to a customizable file path.
Sysadmins define audit policy using auditd's audit.rules. audito-maldito simply honors whatever Linux audit events appear in the Linux auditd event stream.
For more information about configuring audito-maldito, please refer to the Configuration section.
- Linux
- auditd
- OpenSSH server (sshd)
The following subsections detail the different types of audit events generated by audito-maldito. For more information about the structure of these events, please refer to the auditevent library.
Occurs when a user logs in via sshd.
Example:
{
"component": "sshd",
"data": {
"Alg": "ECDSA-CERT SHA256",
"CA": "CA ED25519 SHA256:JKH45TJj6tNHO/E/VtWZGunEY7C8VLFjVFv6bDq/5VY=",
"SSHKeySum": "JKH45TJj6tNHO/E/VtWZGunEY7C8VLFjVFv6bDq/5VY",
"Serial": "350"
},
"loggedAt": "2023-03-17T13:37:01.952459Z",
"metadata": {
"auditId": "ffffffff-ffff-ffff-ffff-ffffffffffff"
},
"outcome": "succeeded",
"source": {
"extra": {
"port": "59145"
},
"type": "IP",
"value": "6.6.6.2"
},
"subjects": {
"loggedAs": "core",
"pid": "3076344",
"userID": "user@foo.com"
},
"target": {
"host": "blam",
"machine-id": "deadbeef"
},
"type": "UserLogin"
}
Occurs when an authenticated sshd user does something (example: the user
executes rizin
).
Example:
{
"component": "auditd",
"loggedAt": "2023-03-17T13:37:38.126Z",
"metadata": {
"auditId": "67",
"extra": {
"action": "executed",
"how": "bash",
"object": {
"primary": "/usr/local/bin/rizin",
"type": "file"
}
}
},
"outcome": "failed",
"source": {
"extra": {
"port": "56734"
},
"type": "IP",
"value": "6.6.6.2"
},
"subjects": {
"loggedAs": "core",
"pid": "2868326",
"userID": "user@foo.com"
},
"target": {
"host": "the-best-computer",
"machine-id": "deadbeef"
},
"type": "UserAction"
}
audito-maldito can be run as a standalone application (such as a systemd unit) or as a Kubernetes Daemonset. At Equinix Metal, we deploy the application in Kubernetes using a Helm chart. The chart relies on rsyslog, which is responsible for passing OpenSSH daemon logs and Linux audit logs to audito-maldito using named pipes. audito-maldito reads from these named pipes and then writes its audit events to a named pipe or file.
The following subsections discuss several installation and deployment methods.
If you would like to run audito-maldito as a standalone application (i.e., outside of Kubernetes), you can build it from source or use a pre-built container image.
While not required, we recommend using rsyslog
to pass OpenSSH logs and
Linux audit logs into audito-maldito. An example rsyslog container image
and rsyslog configuration can be found under:
To build audito-maldito from source, execute the following command at the root of the repository:
go build
Pre-built container images for both audito-maldito and rsyslog can be found in GitHub's container registry:
A Helm chart can be found in the equinixmetal-helm GitHub organization:
The following subsections discuss audito-maldito's configuration.
audito-maldito reads input data from named pipes (FIFOs). It expects these data sources to be specified using the following arguments:
-auditd-pipe-path
- The file path to a named pipe that produces Linux auditd events (i.e., events from "/var/log/audit/audit.log")-sshd-pipe-path
- The file path to a named pipe that produces OpenSSH sshd logs
The following files are required by audito-maldito to run:
/etc/os-release
- Many Linux distributions provide this file. It specifies details such as the distribution name and version/etc/machine-id
- This file is managed by systemd. It contains an identifier for the computer
Audit events produced by audito-maldito are written to the file path
specified by the -app-events-output
argument. This file path can be
a regular file or a named pipe.
If you are a developer or looking to contribute, the following automation may come in handy.
To build the binary in a container, run:
make image
Note that you'll need to have Docker installed.