We have following data from auditD
type=SYSCALL msg=audit(1607953823.861:1184699): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=17780c0 a2=0 a3=7ffe280a6ae0 items=2 ppid=45207 pid=45248 auid=1002 uid=0 gid
=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8306 comm="rm" exe="/usr/bin/rm" key="delete"
type=CWD msg=audit(1607953823.861:1184699): cwd="/root"
type=PATH msg=audit(1607953823.861:1184699): item=0 name="/root" inode=469763072 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1607953823.861:1184699): item=1 name="my_secret_file" inode=469763075 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PROCTITLE msg=audit(1607953823.861:1184699): proctitle=726D002D69002E626173685F686973746F7279
So the idea is to detect when my_secret_file
is deleted or amended. In the above message, we can get it is deleted in the PATH
message, but who did is available from previous message in SYSCALL
with the auid
. So essentially in the above example, a user (auid=1002) has sudo'ed to root (uid=0) and then deleted my_secret_file
What is the best way to do this? I've extracted the AUDID_ID
field (1184699
in above example), but how to stitch together all these 5 events into a single event? (i.e. for alerting and investigation)