I need help! Auditbeat `file.path` field does not contain the absolute path

Hi, I am having problems with how auditbeat pushes documents to elasticsearch. I want auditbeat to monitor openat system calls on a directory (or, alternatively on the files within that directory). To that end I have the following auditctl rules set up in the file /etc/auditbeat/audit.rules.d/blueprint-buckeye.conf:

-a exit,always -F arch=b64 -S openat -F dir=/root -F euid=root -k binary-exploitation -k 2362e5 -k flag-captured

The problem I am facing is that auditbeat pushes a huge number of documents with very weird file.path fields every time someone uses the linux find command. E.g. if I run find / -name flag{* 2>&1 | grep flag on the machine that is running auditbeat. I see a lot of documents that contain one-character file.path's:

"file" : {
            "owner" : "root",
            "group" : "root",
            "path" : "d",
            "device" : "00:00",
            "inode" : "526947",
            "mode" : "0700",
            "uid" : "0",
            "gid" : "0"
          },

According to the elasticsearch documents exported fields, this field should be an absolute path to a filename. However, there is no file on the filesystem with the one-character filename 'd' and it certainly is not a full path name. Furthermore, this command is issued outside of the /root directory and should not be caught by the above rule unless 'd' is a file within the /root directory, which again, it is not.

Another issue that is unrelated to the find command is if I issue the command ls -al while in some directory, e.g. /home/kate_libby/ and in that directory there is a file named neuromancer. The file.path field in elasticsearch will then contain neuromancer, which again is not an absolute path. In this case I would have the auditctl rules as: -a exit,always -F arch=b64 -S stat,lstat,fstat -F path=/home/kate_libby/neuromancer -F euid=kate_libby -k binary_exploitation_flag -k discovery.

I have auditbeat set up according to the configuration file below:

---
auditbeat:
  modules:
  - audit_rule_files:
    - /etc/auditbeat/audit.rules.d/*.conf
    module: auditd
    include_warnings: true
    resolve_ids: true
    include_raw_message: true
http:
  enabled: true
  host: x.x.x.x
  port: '5067'
logging:
  level: debug
  metrics:
    enabled: false
  to_eventlog: false
  to_files: false
  to_stderr: true
  to_syslog: false
monitoring:
  cluster_uuid: ZK15biAITP-jB5O8Y5XuQQ
  enabled: false
name: blueprint-buckeye-auditbeat
output:
  elasticsearch:
    enabled: true
    hosts:
    - https://x.x.x.x:9200
    - https://x.x.x.x:9200
    - https://x.x.x.x:9200
    password: ${OUTPUT_PASS}
    ssl:
      certificate: /etc/auditbeat/certs//beats.crt
      certificate_authorities: /etc/auditbeat/certs//ca.crt
      enabled: true
      key: /etc/auditbeat/certs//beats.p1
      key_passphrase: ${OUTPUT_CERT_KEY_PASSPHRASE}
      verification_mode: none
    username: ${OUTPUT_USER}
path:
  config: /etc/auditbeat
  data: /var/lib/auditbeat
  home: /usr/share/auditbeat
  logs: /var/log/auditbeat
processors:
        - add_id: null
        - add_locale: null
        - community_id: null
        - add_process_metadata:
            match_pids:
            - system.process.ppid
            restricted_fields: true
        - add_fields:
            fields:
              world: blueprint
            target: ''
        - add_observer_metadata:
            geo:
              name: blueprint
setup:
  ilm:
    check_exists: false
    enabled: true
    overwrite: false
    pattern: '{now/d}-000001'
    rollover_alias: auditbeat-%{[agent.version]}
  template:
    settings:
      index:
        number_of_shards: 1

I also list the important aspect of the index template below:

"path": {
              "type": "keyword",
              "fields": {
                "text": {
                  "type": "text",
                  "norms": false
                }
              },
              "ignore_above": 1024
            },

Which operating system are you using?

Did you try to enable debug logging and find references to the "d" file?

This is the output of uname -a:
Linux blueprint-buckeye 5.0.0-1029-gcp #30~18.04.1-Ubuntu SMP Mon Jan 13 05:40:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux. The only extra logs that are returned from auditbeat with debug logging are extra publishing events such as:

Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]: 2020-07-29T14:20:17.804Z        DEBUG        [processors]        processing/processors.go:187        Publish event: {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "@timestamp": "2020-07-29T14:20:17.766Z",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "@metadata": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "beat": "auditbeat",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "type": "_doc",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "version": "7.8.0"
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "file": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "gid": "0",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "owner": "root",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "group": "root",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "path": ".local",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "device": "00:00",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "inode": "516099",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "mode": "0755",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "uid": "0"
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:   "auditd": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "sequence": 20168,
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "result": "success",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "data": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a3": "0",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a1": "55555579e2c8",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "exit": "6",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "arch": "x86_64",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "tty": "pts0",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a0": "7",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "a2": "30900",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "syscall": "openat"
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "session": "118",
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:     "summary": {
Jul 29 14:20:22 blueprint-buckeye auditbeat[26142]:       "actor": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "secondary": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "primary": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "object": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "primary": ".local",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "type": "file"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "how": "/usr/bin/find"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "paths": [
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fp": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "inode": "516099",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "item": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": ".local",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "ouid": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fe": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fi": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "cap_fver": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "dev": "08:01",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "mode": "040755",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "nametype": "NORMAL",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "ogid": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "rdev": "00:00"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     ],
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "message_type": "syscall"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "service": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "type": "auditd"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "agent": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "blueprint-buckeye-auditbeat",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "type": "auditbeat",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "version": "7.8.0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "hostname": "blueprint-buckeye",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "ephemeral_id": "d9e3f1eb-59c2-4c58-8ba5-31b24d9b9878",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "id": "3162464c-e272-42ff-b5d5-546a6efef0e6"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "event": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "action": "opened-file",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "outcome": "success",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "original": [
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=SYSCALL msg=audit(1596032417.766:20168): arch=c000003e syscall=257 success=yes exit=6 a0=7 a1=55555579e2c8 a2=30900 a3=0 items=1 ppid=22048 pid=26224 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=118 comm=\"find\" exe=\"/usr/bin/find\" key=62696E6172792D6578706C6F69746174696F6E0132333632653501666C61672D6361707475726564",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=CWD msg=audit(1596032417.766:20168): cwd=\"/home\"",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=PATH msg=audit(1596032417.766:20168): item=0 name=\".local\" inode=516099 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "type=PROCTITLE msg=audit(1596032417.766:20168): proctitle=66696E64002F002D6E616D6500666C6167322A"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     ],
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "module": "auditd",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "category": "audit-rule"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "process": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "title": "find / -name flag2*",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "find",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "executable": "/usr/bin/find",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "working_directory": "/home",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "pid": 26224,
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "ppid": 22048
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "tags": [
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "binary-exploitation",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "2362e5",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "flag-captured"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   ],
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "host": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "blueprint-buckeye-auditbeat"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "ecs": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "version": "1.5.0"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   "user": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "saved": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "id": "0"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "audit": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "name": "root",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "filesystem": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     "effective": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "group": {
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:         "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       },
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "id": "0",
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:       "name": "root"
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:     }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]:   }
Jul 29 14:20:23 blueprint-buckeye auditbeat[26142]: }

I'm afraid this is a bug, you should see an absolute path. Could you please verify with older versions of auditbeat? 7.6? 7.7? I wonder if it's regression.

You can also open an issue for beats and link this thread.

1 Like

Since you have include_raw_message enabled we can see event.original which is what the kernel sent to Auditbeat. The kernel sent a relative path .local and it also sent a CWD message with /home. One solution would be to look for this combination of relative paths and CWD messages and join them when constructing the file.path field.

1 Like

Actually no. As I described in my first post there are a lot of documents containing a file.path which cannot be traced to a file even if linked with the working directory. E.g. take the following document which is pushed by Auditbeat:

{
        "_index" : "auditbeat-7.8.1-2020.07.29-000001",
        "_type" : "_doc",
        "_id" : "jMKjvnMBFCvzJdFmeqcY",
        "_score" : 0.0,
        "_source" : {
          "@timestamp" : "2020-08-05T12:40:51.474Z",
          "file" : {
            "path" : "root",
            "device" : "00:00",
            "inode" : "3811",
            "mode" : "0700",
            "uid" : "0",
            "gid" : "0",
            "owner" : "root",
            "group" : "root"
          },
          "auditd" : {
            "data" : {
              "a3" : "0",
              "syscall" : "openat",
              "a1" : "55cd05f24bf8",
              "a0" : "6",
              "exit" : "5",
              "arch" : "x86_64",
              "a2" : "30900",
              "tty" : "pts0"
            },
            "session" : "7677",
            "summary" : {
              "object" : {
                "type" : "file",
                "primary" : "root"
              },
              "how" : "/usr/bin/find",
              "actor" : {
                "primary" : "printer",
                "secondary" : "root"
              }
            },
            "paths" : [
              {
                "cap_fp" : "0",
                "cap_frootid" : "0",
                "mode" : "040700",
                "nametype" : "NORMAL",
                "cap_fi" : "0",
                "cap_fver" : "0",
                "dev" : "08:01",
                "item" : "0",
                "name" : "root",
                "ogid" : "0",
                "rdev" : "00:00",
                "cap_fe" : "0",
                "inode" : "3811",
                "ouid" : "0"
              }
            ],
            "message_type" : "syscall",
            "sequence" : 706292,
            "result" : "success"
          },
          "ecs" : {
            "version" : "1.5.0"
          },
          "container" : {
            "id" : ""
          },
          "world" : "blueprint",
          "host" : {
            "name" : "blueprint-energetic-bear-auditbeat"
          },
          "agent" : {
            "name" : "blueprint-energetic-bear-auditbeat",
            "type" : "auditbeat",
            "version" : "7.8.1",
            "hostname" : "blueprint-energetic-bear",
            "ephemeral_id" : "c511b79d-e610-4e11-b9a4-470ccdf9f8eb",
            "id" : "3966fa21-f393-5aee-80b0-914283ba53c6"
          },
          "observer" : {
            "ip" : [
              "10.0.18.128",
              "10.0.2.128",
              "fe80::4001:aff:fe00:1280"
            ],
            "mac" : [
              "42:01:0a:00:12:80"
            ],
            "hostname" : "blueprint-energetic-bear",
            "geo" : {
              "name" : "blueprint"
            }
          },
          "service" : {
            "type" : "auditd"
          },
          "process" : {
            "title" : "bash",
            "env" : { },
            "args" : [
              "bash"
            ],
            "start_time" : "2020-08-05T12:36:22.470Z",
            "name" : "bash",
            "executable" : "/bin/bash",
            "working_directory" : "/tmp",
            "pid" : 6145,
            "ppid" : 6143
          },
          "event" : {
            "module" : "auditd",
            "category" : "audit-rule",
            "action" : "opened-file",
            "outcome" : "success",
            "timezone" : "+00:00"
          },
          "user" : {
            "audit" : {
              "name" : "printer",
              "id" : "1001"
            },
            "name" : "root",
            "saved" : {
              "name" : "root",
              "group" : {
                "id" : "0",
                "name" : "root"
              },
              "id" : "0"
            },
            "group" : {
              "id" : "0",
              "name" : "root"
            },
            "filesystem" : {
              "name" : "root",
              "group" : {
                "id" : "0",
                "name" : "root"
              },
              "id" : "0"
            },
            "effective" : {
              "id" : "0",
              "name" : "root",
              "group" : {
                "id" : "0",
                "name" : "root"
              }
            },
            "id" : "0"
          },
          "tags" : [
            "cuiteur",
            "73cb43",
            "flag-captured"
          ]
        }
      }

The working directory is listed as /tmp and file.path: root. But there is no file or directory named root in the /tmp folder.

Alright, I will create an issue and link this thread. Give me a moment and I will try with Auditbeat 7.5.1 which is the only other version I have access to at work.

The problem persists in Auditbeat 7.5.1 unfortunately.

I have now opened an issue about this problem: https://github.com/elastic/beats/issues/20451.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.