Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apparmor messages not fully parsed #25

Closed
andrewkroh opened this issue Apr 25, 2018 · 0 comments
Closed

apparmor messages not fully parsed #25

andrewkroh opened this issue Apr 25, 2018 · 0 comments
Labels
bug

Comments

@andrewkroh
Copy link
Member

The fields from the apparmor AVC message are not being parsed out. We need to create a new test case from this data and fix the parser.

{
  "@timestamp": "2018-04-25T13:28:53.080Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "doc",
    "version": "6.2.4"
  },
  "process": {
    "pid": "5571",
    "ppid": "5552",
    "title": "metricbeat -e -system.hostfs=/hostfs -strict.perms=false",
    "name": "metricbeat",
    "exe": "/usr/share/metricbeat/metricbeat"
  },
  "auditd": {
    "result": "success",
    "session": "unset",
    "data": {
      "a0": "3",
      "arch": "x86_64",
      "a1": "c4206cb400",
      "a3": "0",
      "a2": "200",
      "exit": "193",
      "tty": "(none)",
      "syscall": "read"
    },
    "summary": {
      "actor": {
        "secondary": "ubuntu",
        "primary": "unset"
      },
      "how": "/usr/share/metricbeat/metricbeat"
    },
    "warnings": [
      "failed to parse message: failed to parse audit message",
      "failed to set subject primary using keys=[scontext] because they were not found",
      "failed to set object primary using keys=[tcontext] because they were not found"
    ],
    "messages": [
      "type=AVC msg=audit(1524662933.080:61207): apparmor=\"DENIED\" operation=\"ptrace\" profile=\"docker-default\" pid=5571 comm=\"metricbeat\" requested_mask=\"trace\" denied_mask=\"trace\" peer=\"unconfined\"",
      "type=SYSCALL msg=audit(1524662933.080:61207): arch=c000003e syscall=0 success=yes exit=193 a0=3 a1=c4206cb400 a2=200 a3=0 items=0 ppid=5552 pid=5571 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=\"metricbeat\" exe=\"/usr/share/metricbeat/metricbeat\" key=(null)",
      "type=PROCTITLE msg=audit(1524662933.080:61207): proctitle=6D657472696362656174002D65002D73797374656D2E686F737466733D2F686F73746673002D7374726963742E7065726D733D66616C7365"
    ],
    "sequence": 61207
  },
  "event": {
    "category": "mac-decision",
    "type": "avc",
    "action": "violated-selinux-policy",
    "module": "auditd"
  },
  "user": {
    "name_map": {
      "gid": "ubuntu",
      "sgid": "ubuntu",
      "suid": "ubuntu",
      "uid": "ubuntu",
      "egid": "ubuntu",
      "euid": "ubuntu",
      "fsgid": "ubuntu",
      "fsuid": "ubuntu"
    },
    "euid": "1000",
    "suid": "1000",
    "sgid": "1000",
    "gid": "1000",
    "egid": "1000",
    "fsgid": "1000",
    "uid": "1000",
    "fsuid": "1000",
    "auid": "unset"
  },
  "beat": {
    "name": "gce-ubuntu1604",
    "hostname": "gce-ubuntu1604",
    "version": "6.2.4"
  }
}
@andrewkroh andrewkroh added the bug label Apr 25, 2018
andrewkroh added a commit to andrewkroh/go-libaudit that referenced this issue Apr 27, 2018
@andrewkroh
Parse AVC messages from apparmor
3749f04 
auparse was only expecting selinux AVC messages. Now it will handle AVC messages from apparmor. The action will be `violated-apparmor-policy`.

Fixes elastic#25
@andrewkroh andrewkroh mentioned this issue Apr 27, 2018
Merged
andrewkroh added a commit to andrewkroh/go-libaudit that referenced this issue Apr 27, 2018
@andrewkroh
Parse AVC messages from apparmor
1a5d7e1 
auparse was only expecting selinux AVC messages. Now it will handle AVC messages from apparmor. The action will be `violated-apparmor-policy`.

Fixes elastic#25
adriansr pushed a commit that referenced this issue Apr 27, 2018
@andrewkroh @adriansr
Parse AVC messages from apparmor
e0c39c2 
auparse was only expecting selinux AVC messages. Now it will handle AVC messages from apparmor. The action will be `violated-apparmor-policy`.

Fixes #25
@andrewkroh andrewkroh mentioned this issue May 21, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewkroh