How to link/stitch-together events in an efficient way?

We have following data from auditD

type=SYSCALL msg=audit(1607953823.861:1184699): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=17780c0 a2=0 a3=7ffe280a6ae0 items=2 ppid=45207 pid=45248 auid=1002 uid=0 gid
=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8306 comm="rm" exe="/usr/bin/rm" key="delete"
type=CWD msg=audit(1607953823.861:1184699):  cwd="/root"
type=PATH msg=audit(1607953823.861:1184699): item=0 name="/root" inode=469763072 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1607953823.861:1184699): item=1 name="my_secret_file" inode=469763075 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PROCTITLE msg=audit(1607953823.861:1184699): proctitle=726D002D69002E626173685F686973746F7279

So the idea is to detect when my_secret_file is deleted or amended. In the above message, we can get it is deleted in the PATH message, but who did is available from previous message in SYSCALL with the auid. So essentially in the above example, a user (auid=1002) has sudo'ed to root (uid=0) and then deleted my_secret_file

What is the best way to do this? I've extracted the AUDID_ID field (1184699 in above example), but how to stitch together all these 5 events into a single event? (i.e. for alerting and investigation)

Are you using Auditbeat or your own process to get this data?

sorry nope. We are getting the auditd data as a file (via syslog). Don't have option to install auditbeat unfortunately

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.