I want to track whether a normal user attempted to run a service. The command for starting/stopping service is given as below:
service filebeat start
I wrote an auditd rule like below in Auditbeat's auditd rules section
-w /usr/sbin/service -p warx -k service_attempt
For each time I start/stop the service, it is logging the tag (service_attempt), but the audit is not failing. Because of this I am not able to differentiate between a successful attempt and an unsuccessful attempt to start/stop a service.
A sample document for the start operation is given as below:
The below document was generated when a normal user with no sudo permissions, attempted the above command to start a service
{
"_index": "auditbeat-6.5.4-2019.03.01",
"_type": "doc",
"_id": "AWk5O1GeBD5hM625ACu_",
"_score": null,
"_source": {
"process": {
"cwd": "/home/jenkins",
"exe": "/bin/dash",
"name": "service",
"pid": "97353",
"title": "/bin/sh /usr/sbin/service filebeat start",
"ppid": "97121"
},
"auditd": {
"summary": {
"actor": {
"secondary": "test-user-arun-03",
"primary": "jenkins"
},
"how": "/bin/dash",
"object": {
"type": "file",
"primary": "/usr/sbin/service"
}
},
"result": "success",
"sequence": 17078666,
"data": {
"a1": "0",
"exit": "3",
"syscall": "open",
"a2": "7fff2afd77c0",
"a3": "1f8",
"tty": "pts1",
"arch": "x86_64",
"a0": "7fff2afd77c0"
},
"session": "146204",
"paths": [
{
"item": "0",
"nametype": "NORMAL",
"ogid": "0",
"cap_fi": "0000000000000000",
"cap_fp": "0000000000000000",
"cap_fver": "0",
"mode": "0100755",
"inode": "23890",
"dev": "08:01",
"ouid": "0",
"rdev": "00:00",
"cap_fe": "0",
"name": "/usr/sbin/service"
}
],
"messages": [
"""type=SYSCALL msg=audit(1551443326.760:17078666): arch=c000003e syscall=2 success=yes exit=3 a0=7fff2afd77c0 a1=0 a2=7fff2afd77c0 a3=1f8 items=1 ppid=97121 pid=97353 auid=1000 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=146204 comm="service" exe="/bin/dash" key="service_attempt"""",
"""type=CWD msg=audit(1551443326.760:17078666): cwd="/home/jenkins"""",
"""type=PATH msg=audit(1551443326.760:17078666): item=0 name="/usr/sbin/service" inode=23890 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0""",
"type=PROCTITLE msg=audit(1551443326.760:17078666): proctitle=2F62696E2F7368002F7573722F7362696E2F736572766963650066696C6562656174007374617274"
]
},
"osName": "ubuntu",
"tags": [
"service_attempt"
],
"osCategory": "linux",
"@timestamp": "2019-03-01T12:28:46.760Z",
"file": {
"owner": "root",
"inode": "23890",
"mode": "0755",
"path": "/usr/sbin/service",
"uid": "0",
"gid": "0",
"device": "00:00",
"group": "root"
},
"osVersion": 16,
"beatName": "auditbeat",
"@version": "1",
"host": {
"name": "k8s-master-14290583-0"
},
"beat": {
"name": "k8s-master-14290583-0",
"hostname": "k8s-master-14290583-0",
"version": "6.5.4"
},
"event": {
"action": "opened-file",
"category": "audit-rule",
"type": "syscall",
"module": "auditd"
},
"user": {
"fsuid": "1002",
"uid": "1002",
"name_map": {
"fsuid": "test-user-arun-03",
"uid": "test-user-arun-03",
"auid": "jenkins",
"egid": "test-user-arun-03",
"gid": "test-user-arun-03",
"euid": "test-user-arun-03",
"fsgid": "test-user-arun-03",
"sgid": "test-user-arun-03",
"suid": "test-user-arun-03"
},
"egid": "1002",
"auid": "1000",
"gid": "1002",
"euid": "1002",
"fsgid": "1002",
"sgid": "1002",
"suid": "1002"
},
"device": [
"k8-master"
]
},
"sort": [
1551443326760
]
}