Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix auditd decoders #246

Merged
merged 1 commit into from
Jun 14, 2019
Merged

Fix auditd decoders #246

merged 1 commit into from
Jun 14, 2019

Conversation

tokibi
Copy link
Contributor

@tokibi tokibi commented Dec 18, 2018

Hi team,

This PR fixed an issue where auditd-generic decoders makes auditd.uid the same value as auid.

**Phase 1: Completed pre-decoding.
       full event: 'type=ANOM_ABEND msg=audit(1545007249.541:227013641): auid=4294967295 uid=1000 gid=33 ses=4294967295 pid=95382 comm="apache2" exe="/usr/sbin/apache2" sig=11'
       timestamp: '(null)'
       hostname: '31f8f1e5e096'
       program_name: '(null)'
       log: 'type=ANOM_ABEND msg=audit(1545007249.541:227013641): auid=4294967295 uid=1000 gid=33 ses=4294967295 pid=95382 comm="apache2" exe="/usr/sbin/apache2" sig=11'

**Phase 2: Completed decoding.
       decoder: 'auditd'
       audit.type: 'ANOM_ABEND'
       audit.id: '227013641'
       audit.pid: '95382'
       audit.auid: '4294967295'
       audit.uid: '4294967295'  <- same as auid
       audit.gid: '33'
       audit.session: '4294967295'
       audit.command: 'apache2'
       audit.exe: '/usr/sbin/apache2'

After this fix, auditd.uid will be the correct value.

**Phase 1: Completed pre-decoding.
       full event: 'type=ANOM_ABEND msg=audit(1545007249.541:227013641): auid=4294967295 uid=1000 gid=33 ses=4294967295 pid=95382 comm="apache2" exe="/usr/sbin/apache2" sig=11'
       timestamp: '(null)'
       hostname: '31f8f1e5e096'
       program_name: '(null)'
       log: 'type=ANOM_ABEND msg=audit(1545007249.541:227013641): auid=4294967295 uid=1000 gid=33 ses=4294967295 pid=95382 comm="apache2" exe="/usr/sbin/apache2" sig=11'

**Phase 2: Completed decoding.
       decoder: 'auditd'
       audit.type: 'ANOM_ABEND'
       audit.id: '227013641'
       audit.pid: '95382'
       audit.auid: '4294967295'
       audit.uid: '1000'  <- fixed
       audit.gid: '33'
       audit.session: '4294967295'
       audit.command: 'apache2'
       audit.exe: '/usr/sbin/apache2'

@iasdeoupxe iasdeoupxe mentioned this pull request Feb 27, 2019
Closed
@Zenidd
Copy link
Contributor

Zenidd commented Jun 5, 2019

Hello @tokibi,

Sorry for our late reply.

We are going to review your PR and if possible, we will add it to Wazuh-ruleset. Thanks for your contribution!

Best regards,

Juan Pablo Sáez

@Zenidd Zenidd added the decoders Decoders related issues label Jun 5, 2019
@Lopuiz Lopuiz changed the base branch from master to 3.10 June 5, 2019 11:23
@Lopuiz Lopuiz self-requested a review June 5, 2019 11:35
Lopuiz
Lopuiz approved these changes Jun 5, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @tokibi,

First of all, sorry for the late review. We appreciate your collaborations to the Ruleset project.

Thank you very much.

Regards, Eva

@bah07 bah07 changed the base branch from 3.10 to 3.9 June 14, 2019 11:30
@bah07 bah07 merged commit 278025a into wazuh:3.9 Jun 14, 2019
@tokibi tokibi deleted the fix_auditd_decoders branch June 21, 2019 03:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lopuiz Lopuiz Lopuiz approved these changes

Assignees

@Lopuiz Lopuiz

Labels
community decoders Decoders related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tokibi @Zenidd @Lopuiz @bah07