Linux – Undocumented format of Linux Audit log records

auditlinuxlinux-auditlogsSecurity

I am writing a parser for Linux Audit and I stumbled upon some weird cases which doesn't seem to comply with the standard.

My reference is the Red Hat's documentation.

A proper audit record should look like this:

type=USER_CMD msg=audit(1464013671.517:403): pid=3569 uid=0 auid=1000 ses=7 msg='cwd="/root" cmd=123 terminal=pts/1 res=success'

An invalid name=value field in a record

Let's look at the following record:

type=DAEMON_START msg=audit(1464013652.147:626): auditd start, ver=2.4 format=raw kernel=3.16.0-4-586 auid=4294967295 pid=3557 res=success

The documentation says nothing about auditd start which doesn't fit the name=value format.

What is this? Where I can read about it?

A comma and a space as a separator

Additionally, the documentation says that

Each record consists of several name=value pairs separated by a white space or a comma.

It is clearly not true since we can see that auditd start, ver=2.4 are separated with a command and a space.

Why is it so? Where is the standard really described?

Additional whitespaces in a record

Let's look at the following record:

type=CWD msg=audit(1464013682.961:409):  cwd="/root"

It has two spaces between type=CWD msg=audit(1464013682.961:409): and cwd="/root". It doesn't make any sense. In fact, I observed this behaviour only in records with type=CWD and cwd="/root".

Why is it so?

Note: I've generated those logs on a recent Debian.

Best Answer

So I solved tiny a part of the problem - I found out that auditd start, ver=2.2 is valid. I failed to find any documentation though. The only document I have is an example from the Red Hat's manual:

Example 7.5. Additional audit.log events

The following Audit event records a successful start of the auditd daemon. The ver field shows the version of the Audit daemon that was started.

type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success

The following Audit event records a failed attempt of user with UID of 500 to log in as the root user.

type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'

The sad thing is that these are only examples. I'd love to read the actual documentation of the standard since I cannot find it anywhere.

Update

I asked those questions of the official mailing list (see the full reply to my question).

Here's what I've learnt:

An invalid name=value field in a record

I isn't clear to me why auditd start exist but here's the Steve Grubb's answer to my question.

Where are all the elements like auditd start, user, etc. listed? I cannot find any document which specifies what can occurs between the colon (separating the type and the msg=audit(…) from the fields) and the record’s fields.

There really is none, Libauparse takes care of all of this so that you don't have to. If you are wanting to do translation, you can feed the logs into auparse and then just format the event the way you want.

Basically, the answer is hidden somewhere in the auparse library.

A comma and a space as a separator

Why do some records are separated by a comma and a whitespace? Example:

type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success

A long time ago the records were meant to be both human readable (don't laugh) and machine consumable. Over time these have been converted name=value pairs. Even the one you mention above has been fixed.

Additional whitespaces in a record

This one has already been patched by Steve Grubb.

The patch: https://www.redhat.com/archives/linux-audit/2016-July/msg00086.html

Related Question