Basic Security Module Auditing (xm_bsm)

This module provides support for parsing events logged to a file using the Solaris OS Basic Security Module (BSM) Auditing API. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_bsm, which reads audit events directly from the kernel—it is recommended instead in cases where NXLog Agent is running on the local system and the device file is available for reading.

On Solaris, the device file is not available and the BSM log files must be read and parsed with im_file and xm_bsm as shown in the example below.

To properly read BSM Audit Logs from a device file, such as /dev/auditpipe, the im_bsm module must be used. Do not use the xm_bsm module in combination with im_file to read BSM logs from a device file.

Setup

For information about setting up BSM Auditing, see the corresponding documentation:

Configuration

The xm_bsm module accepts the following directives in addition to the common module directives.

Optional directives

EventFile

This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers. The default location is /etc/security/audit_event which is used when the directive is not specified.

Fields

The following fields are used by xm_bsm.

$raw_event (type: string)

A list of event fields in key-value pairs.

$Arbitrary (type: string)

Arbitrary data token associated with the event, if any

$Arg00.Description (type: string)

The description of argument 0 (there may be additional arguments; for example, Arg01)

$Arg00.Value (type: string)

The value of argument 0

$AttributeDevID (type: string)

The device ID the file might represent

$AttributeFsID (type: string)

The file system ID

$AttributeGID (type: string)

The file owner group ID (GID)

$AttributeMode (type: string)

The file access mode and type

$AttributeNodeID (type: string)

The file inode ID

$AttributeUID (type: string)

The file owner user ID (UID)

$CertHash (type: string)

certificate hash string set

$Cmd (type: string)

The command, with arguments and environment, executed within the zone

$EventHost (type: string)

The host name of the machine corresponding to the event

$EventModifier (type: string)

The ID modifier that identifies special characteristics of the event

$EventName (type: string)

The name of audit event that the record represents

$EventTime (type: datetime)

The time at which the event occurred

$EventType (type: string)

The type of audit event that the record represents

$ExecArgs (type: string)

The list of arguments to an exec() system call

$ExecEnv (type: string)

The list of the current environment variables to an exec() system call

$ExitErrno (type: string)

The exit status as passed to the exit() system call

$ExitRetval (type: string)

The exit return value that describes the exit status

$FileModificationTime (type: datetime)

The last modification time of the file corresponding to the event (if applicable)

$FileName (type: string)

The name of the file corresponding to the event (if applicable)

$Hostname (type: string)

The IP address or hostname where the event originated

$Identity.CDHash (type: string)

Apple Identity CDHash hex

$Identity.SignerId (type: string)

Apple Identity signer ID

$Identity.SignerIdTruncated (type: string)

Apple Identity signer ID truncated flag

$Identity.SignerType (type: string)

Apple Identity signer type

$Identity.TeamId (type: string)

Apple Identity Team ID

$Identity.TeamIdTruncated (type: string)

Apple Identity Team ID truncated flag

$IPAddress (type: string)

The IP address as part of the IP token

$IPC (type: string)

The IPC handle that is used by the caller to identify a particular IPC object

$IPChecksum (type: string)

The checksum of the IP header

$IPCPermCreatorGID (type: string)

The IPC creator group ID (GID)

$IPCPermCreatorUID (type: string)

The IPC creator user ID (UID)

$IPCPermGID (type: string)

The IPC owner group ID (GID)

$IPCPermKey (type: string)

The IPC permission key

$IPCPermMode (type: string)

The IPC access mode

$IPCPermSeqID (type: string)

The IPC slot sequence

$IPCPermUID (type: string)

The IPC owner user ID (UID)

$IPDestAddr (type: string)

The destination address in the IP header

$IPFragmentOffset (type: string)

The fragment offset field of the IP header

$IPHeaderLen (type: string)

The total length of the IP header

$IPIdent (type: string)

The ID of the IP header

$IPProto (type: string)

The IP protocol

$IPServiceType (type: string)

The IP type of service (TOS)

$IPSrcAddr (type: string)

The source address in the IP header

$IPTTL (type: string)

The time-to-live (TTL) of the IP header

$IPVer (type: string)

The version for the Internet Protocol

$KRB5Principal (type: string)

KRB5Principal strings set

$Opaque (type: string)

The opaque field (unformatted, hexadecimal)

$Path (type: string)

Access path information for an object

$Privilege (type: string)

The privilege token

$ProcessAuditID (type: string)

The audit ID in the Process section

$ProcessGID (type: string)

The effective group ID (GID) in the Process section

$ProcessPID (type: string)

The process ID (PID) in the Process section

$ProcessRealGID (type: string)

The real group ID (GID) in the Process section

$ProcessRealUID (type: string)

The real user ID (UID) in the Process section

$ProcessSID (type: string)

The session ID (SID) in the Process section

$ProcessTerminal.Host (type: string)

The terminal IP address in the Process section

$ProcessTerminal.Port (type: string)

The terminal port in the Process section

$ProcessUID (type: string)

The effective user ID (UID) in the Process section

$ReturnErrno (type: string)

The error status of the system call in the Return section

$ReturnRetval (type: string)

The return value of the system call in the Return section

$Sequence (type: string)

The sequence number

$SocketAddress (type: string)

The remote socket address

$SocketPort (type: string)

The remote socket port

$SocketType (type: string)

The socket type field that indicates the type of socket referenced (TCP/UDP/UNIX)

$SubjectAuditID (type: string)

The invariant audit ID in the Subject section

$SubjectGID (type: string)

The effective group ID (GID) in the Subject section

$SubjectPID (type: string)

The process ID (PID) in the Subject section

$SubjectRealGID (type: string)

The real group ID (GID) in the Subject section

$SubjectRealUID (type: string)

The real user ID (UID) in the Subject section

$SubjectSID (type: string)

The session ID (SID) in the Subject section

$SubjectTerminal.Host (type: string)

The terminal IP address in the Subject section

$SubjectTerminal.Port (type: string)

The terminal port in the Subject section

$SubjectUID (type: string)

The effective user ID (UID) in the Subject section

$TerminalAddress (type: string)

The terminal address as found in a Subject and/or Process token

$TerminalLocalPort (type: string)

The terminal local port as found in a Subject and/or Process token

$TerminalRemotePort (type: string)

The terminal remote port as found in a Subject and/or Process token

$Text (type: string)

A text string associated with the event

$TokenVersion (type: string)

A number that identifies the version of the record structure

$Zone (type: string)

The zone name to which the audit event pertains

Examples

Example 1. Parsing BSM events With xm_bsm

This configuration reads BSM audit logs from a file and parses them with the InputType registered by xm_bsm.

nxlog.conf
<Extension bsm_parser>
    Module      xm_bsm
</Extension>

<Input in>
    Module      im_file
    File        '/var/audit/*'
    InputType   bsm_parser
</Input>