Skip to content

audito-maldito is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in.

License

Notifications You must be signed in to change notification settings

metal-toolbox/audito-maldito

Repository files navigation

audito-maldito

audito-maldito is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in (e.g., what programs they executed).

audito-maldito monitors OpenSSH logins and then attempts to correlate authenticated user sessions with Linux kernel audit sessions. Once an audit session has been identified, new audito-maldito events are generated each time the Linux audit session receives a new event. This allows the application to tie an OpenSSH user's identity to their Linux audit session. For example, if a user authenticates using an SSH certificate, certificate details like the fingerprint and key ID will appear in each resulting audito-maldito audit event. These resulting events are written to a customizable file path.

Sysadmins define audit policy using auditd's audit.rules. audito-maldito simply honors whatever Linux audit events appear in the Linux auditd event stream.

For more information about configuring audito-maldito, please refer to the Configuration section.

System requirements

Audit event types

The following subsections detail the different types of audit events generated by audito-maldito. For more information about the structure of these events, please refer to the auditevent library.

UserLogin

Occurs when a user logs in via sshd.

Example:

{
  "component": "sshd",
  "data": {
    "Alg": "ECDSA-CERT SHA256",
    "CA": "CA ED25519 SHA256:JKH45TJj6tNHO/E/VtWZGunEY7C8VLFjVFv6bDq/5VY=",
    "SSHKeySum": "JKH45TJj6tNHO/E/VtWZGunEY7C8VLFjVFv6bDq/5VY",
    "Serial": "350"
  },
  "loggedAt": "2023-03-17T13:37:01.952459Z",
  "metadata": {
    "auditId": "ffffffff-ffff-ffff-ffff-ffffffffffff"
  },
  "outcome": "succeeded",
  "source": {
    "extra": {
      "port": "59145"
    },
    "type": "IP",
    "value": "6.6.6.2"
  },
  "subjects": {
    "loggedAs": "core",
    "pid": "3076344",
    "userID": "user@foo.com"
  },
  "target": {
    "host": "blam",
    "machine-id": "deadbeef"
  },
  "type": "UserLogin"
}

UserAction

Occurs when an authenticated sshd user does something (example: the user executes rizin).

Example:

{
  "component": "auditd",
  "loggedAt": "2023-03-17T13:37:38.126Z",
  "metadata": {
    "auditId": "67",
    "extra": {
      "action": "executed",
      "how": "bash",
      "object": {
        "primary": "/usr/local/bin/rizin",
        "type": "file"
      }
    }
  },
  "outcome": "failed",
  "source": {
    "extra": {
      "port": "56734"
    },
    "type": "IP",
    "value": "6.6.6.2"
  },
  "subjects": {
    "loggedAs": "core",
    "pid": "2868326",
    "userID": "user@foo.com"
  },
  "target": {
    "host": "the-best-computer",
    "machine-id": "deadbeef"
  },
  "type": "UserAction"
}

Installation and deployment

audito-maldito can be run as a standalone application (such as a systemd unit) or as a Kubernetes Daemonset. At Equinix Metal, we deploy the application in Kubernetes using a Helm chart. The chart relies on rsyslog, which is responsible for passing OpenSSH daemon logs and Linux audit logs to audito-maldito using named pipes. audito-maldito reads from these named pipes and then writes its audit events to a named pipe or file.

The following subsections discuss several installation and deployment methods.

Standalone (from source or as a container)

If you would like to run audito-maldito as a standalone application (i.e., outside of Kubernetes), you can build it from source or use a pre-built container image.

While not required, we recommend using rsyslog to pass OpenSSH logs and Linux audit logs into audito-maldito. An example rsyslog container image and rsyslog configuration can be found under:

To build audito-maldito from source, execute the following command at the root of the repository:

go build

Pre-built container images for both audito-maldito and rsyslog can be found in GitHub's container registry:

Kubernetes

A Helm chart can be found in the equinixmetal-helm GitHub organization:

Configuration

The following subsections discuss audito-maldito's configuration.

Required data sources

audito-maldito reads input data from named pipes (FIFOs). It expects these data sources to be specified using the following arguments:

  • -auditd-pipe-path - The file path to a named pipe that produces Linux auditd events (i.e., events from "/var/log/audit/audit.log")
  • -sshd-pipe-path - The file path to a named pipe that produces OpenSSH sshd logs

Required files

The following files are required by audito-maldito to run:

  • /etc/os-release - Many Linux distributions provide this file. It specifies details such as the distribution name and version
  • /etc/machine-id - This file is managed by systemd. It contains an identifier for the computer

Output data

Audit events produced by audito-maldito are written to the file path specified by the -app-events-output argument. This file path can be a regular file or a named pipe.

Development

If you are a developer or looking to contribute, the following automation may come in handy.

Building a container image

To build the binary in a container, run:

make image

Note that you'll need to have Docker installed.

About

audito-maldito is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages