Auditd module + file access = some paths are hex-encoded

Elastic Stack Beats
1

We're looking to track all file access on a shared volume, and are running the following config:

  • module: auditd
    audit_rules: |
    -w /share/path_a -p rwa
    -w /share/path_b -p rwa
    -w /share/path_c -p rwa

This seems to work fine, except that some events have hex-encoded values for auditd.summary.object.primary and file.path instead of plain text. I can't understand where this hex-encoded value is coming from, but it's making the results quite unusable. These are unique events, and if I filter these out in Kibana with NOT file.path:\[0-9A-F]*\ then I miss file system events that have occurred.

Example doc: https://gist.github.com/ceeeekay/19365fa135be6bf039ebb589c242a68a

Any help please?

2

That looks like something we can fix. Can you add include_raw_message: true to your auditd module configuration temporarily (docs) and share the event again just like you did.

Then we'll add the messages to the testdata to create a test case for this. Then in the code make sure that we have hex decoding applied to the right fields.

3

@andrewkroh here's the gist of one document with the paths redacted and re-encoded:

There are other documents with different event.action values. Do you need those as well?

4

Thanks for the event data.

I think by fixing decoding in all type=PATH messages this should be covered so I don't think we need the other events with different event.action values.

I opened https://github.com/elastic/go-libaudit/issues/20 for this. You can subscribe to the issue in Github for updates.

5

One more question: What OS (usually cat /etc/*release) and kernel version (uname -a) is this event from?

6

@andrewkroh This one is Ubuntu 14.04.5 LTS / 3.13.0-143-generic