I need help! Auditbeat `file.path` field does not contain the absolute path

Hi, I am having problems with how auditbeat pushes documents to elasticsearch. I want auditbeat to monitor openat system calls on a directory (or, alternatively on the files within that directory). To that end I have the following auditctl rules set up in the file /etc/auditbeat/audit.rules.d/blueprint-buckeye.conf:

-a exit,always -F arch=b64 -S openat -F dir=/root -F euid=root -k binary-exploitation -k 2362e5 -k flag-captured

The problem I am facing is that auditbeat pushes a huge number of documents with very weird file.path fields every time someone uses the linux find command. E.g. if I run find / -name flag{* 2>&1 | grep flag on the machine that is running auditbeat. I see a lot of documents that contain one-character file.path's:

"file" : {
            "owner" : "root",
            "group" : "root",
            "path" : "d",
            "device" : "00:00",
            "inode" : "526947",
            "mode" : "0700",
            "uid" : "0",
            "gid" : "0"
          },

According to the elasticsearch documents exported fields, this field should be an absolute path to a filename. However, there is no file on the filesystem with the one-character filename 'd' and it certainly is not a full path name. Furthermore, this command is issued outside of the /root directory and should not be caught by the above rule unless 'd' is a file within the /root directory, which again, it is not.

Another issue that is unrelated to the find command is if I issue the command ls -al while in some directory, e.g. /home/kate_libby/ and in that directory there is a file named neuromancer. The file.path field in elasticsearch will then contain neuromancer, which again is not an absolute path. In this case I would have the auditctl rules as: -a exit,always -F arch=b64 -S stat,lstat,fstat -F path=/home/kate_libby/neuromancer -F euid=kate_libby -k binary_exploitation_flag -k discovery.

I have auditbeat set up according to the configuration file below:

---
auditbeat:
  modules:
  - audit_rule_files:
    - /etc/auditbeat/audit.rules.d/*.conf
    module: auditd
    include_warnings: true
    resolve_ids: true
    include_raw_message: true
http:
  enabled: true
  host: x.x.x.x
  port: '5067'
logging:
  level: debug
  metrics:
    enabled: false
  to_eventlog: false
  to_files: false
  to_stderr: true
  to_syslog: false
monitoring:
  cluster_uuid: ZK15biAITP-jB5O8Y5XuQQ
  enabled: false
name: blueprint-buckeye-auditbeat
output:
  elasticsearch:
    enabled: true
    hosts:
    - https://x.x.x.x:9200
    - https://x.x.x.x:9200
    - https://x.x.x.x:9200
    password: ${OUTPUT_PASS}
    ssl:
      certificate: /etc/auditbeat/certs//beats.crt
      certificate_authorities: /etc/auditbeat/certs//ca.crt
      enabled: true
      key: /etc/auditbeat/certs//beats.p1
      key_passphrase: ${OUTPUT_CERT_KEY_PASSPHRASE}
      verification_mode: none
    username: ${OUTPUT_USER}
path:
  config: /etc/auditbeat
  data: /var/lib/auditbeat
  home: /usr/share/auditbeat
  logs: /var/log/auditbeat
processors:
        - add_id: null
        - add_locale: null
        - community_id: null
        - add_process_metadata:
            match_pids:
            - system.process.ppid
            restricted_fields: true
        - add_fields:
            fields:
              world: blueprint
            target: ''
        - add_observer_metadata:
            geo:
              name: blueprint
setup:
  ilm:
    check_exists: false
    enabled: true
    overwrite: false
    pattern: '{now/d}-000001'
    rollover_alias: auditbeat-%{[agent.version]}
  template:
    settings:
      index:
        number_of_shards: 1

I also list the important aspect of the index template below:

"path": {
              "type": "keyword",
              "fields": {
                "text": {
                  "type": "text",
                  "norms": false
                }
              },
              "ignore_above": 1024
            },

Which operating system are you using?

Did you try to enable debug logging and find references to the "d" file?

This is the output of uname -a:
Linux blueprint-buckeye 5.0.0-1029-gcp #30~18.04.1-Ubuntu SMP Mon Jan 13 05:40:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux. The only extra logs that are returned from auditbeat with debug logging are extra publishing events such as:

Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]: 2020-07-29T14:20:17.804Z        DEBUG        [processors]        processing/processors.go:187        Publish event: {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "@timestamp": "2020-07-29T14:20:17.766Z",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "@metadata": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "beat": "auditbeat",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "type": "_doc",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "version": "7.8.0"
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "file": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "gid": "0",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "owner": "root",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "group": "root",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "path": ".local",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "device": "00:00",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "inode": "516099",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "mode": "0755",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "uid": "0"
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "auditd": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "sequence": 20168,
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "result": "success",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "data": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a3": "0",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a1": "55555579e2c8",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "exit": "6",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "arch": "x86_64",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "tty": "pts0",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a0": "7",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a2": "30900",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "syscall": "openat"
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "session": "118",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "summary": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "actor": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "secondary": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "primary": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "object": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "primary": ".local",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "type": "file"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "how": "/usr/bin/find"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "paths": [
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fp": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "inode": "516099",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "item": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": ".local",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "ouid": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fe": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fi": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fver": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "dev": "08:01",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "mode": "040755",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "nametype": "NORMAL",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "ogid": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "rdev": "00:00"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     ],
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "message_type": "syscall"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "service": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "type": "auditd"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "agent": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "blueprint-buckeye-auditbeat",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "type": "auditbeat",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "version": "7.8.0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "hostname": "blueprint-buckeye",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "ephemeral_id": "d9e3f1eb-59c2-4c58-8ba5-31b24d9b9878",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "id": "3162464c-e272-42ff-b5d5-546a6efef0e6"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "event": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "action": "opened-file",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "outcome": "success",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "original": [
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=SYSCALL msg=audit(1596032417.766:20168): arch=c000003e syscall=257 success=yes exit=6 a0=7 a1=55555579e2c8 a2=30900 a3=0 items=1 ppid=22048 pid=26224 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=118 comm=\"find\" exe=\"/usr/bin/find\" key=62696E6172792D6578706C6F69746174696F6E0132333632653501666C61672D6361707475726564",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=CWD msg=audit(1596032417.766:20168): cwd=\"/home\"",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=PATH msg=audit(1596032417.766:20168): item=0 name=\".local\" inode=516099 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=PROCTITLE msg=audit(1596032417.766:20168): proctitle=66696E64002F002D6E616D6500666C6167322A"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     ],
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "module": "auditd",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "category": "audit-rule"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "process": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "title": "find / -name flag2*",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "find",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "executable": "/usr/bin/find",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "working_directory": "/home",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "pid": 26224,
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "ppid": 22048
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "tags": [
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "binary-exploitation",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "2362e5",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "flag-captured"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   ],
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "host": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "blueprint-buckeye-auditbeat"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "ecs": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "version": "1.5.0"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "user": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "saved": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "id": "0"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "audit": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "filesystem": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "effective": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]: }

I'm afraid this is a bug, you should see an absolute path. Could you please verify with older versions of auditbeat? 7.6? 7.7? I wonder if it's regression.

You can also open an issue for beats and link this thread.

Since you have include_raw_message enabled we can see event.original which is what the kernel sent to Auditbeat. The kernel sent a relative path .local and it also sent a CWD message with /home. One solution would be to look for this combination of relative paths and CWD messages and join them when constructing the file.path field.

1 Like