NXLog Legacy Documentation

Linux Audit System (im_linuxaudit)

With this module, NXLog can set up Audit rules and collect the resulting logs directly from the kernel without requiring auditd or other user-space software. If the auditd service is installed, it must not be running.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.

Rules must be provided using at least one of the LoadRule and Rules directives. Rules should be specified using the format documented in the Defining Persistent Audit Rules section of the Red Hat Enterprise Linux Security Guide.

The -e control rule should be included in the ruleset to enable the Audit system (as -e 1 or -e 2). Rules are not automatically removed, either before applying a ruleset or when NXLog exits. To clear the current ruleset before setting rules, begin the ruleset with the -D rule. If the Audit configuration is locked when im_linuxaudit starts, NXLog will print a warning and collect events generated by the active ruleset.

It is recommended that FlowControl be disabled for im_linuxaudit module instances. If the im_linuxaudit module instance is suspended and the Audit backlog limit is exceeded, all processes that generate Audit messages will be blocked.

Configuration

The im_linuxaudit module accepts the following directives in addition to the common module directives. At least one of LoadRule and Rules must be specified.

Required directives

The following directives are required for the module to start.

LoadRule

Use this directive to load a ruleset from an external rules file. This directive can be used more than once. Wildcards can be used to read rules from multiple files.

Rules

This directive, specified as a block, can be used to provide Audit rules directly from the NXLog configuration file. The following control rules are supported: -b, -D, -e, -f, -r,--loginuid-immutable, --backlog_wait_time, and --reset-lost; see auditctl(8) for more information. Include::: This directive can be used inside a Rules block to read rules from a separate file. Like the LoadRule directive, wildcards are supported.

Optional directives

LockConfig

If this boolean directive is set to TRUE, NXLog will lock the Audit system configuration after the rules have been set. It will not be possible to modify the Audit configuration until after a reboot. The default is FALSE: the Audit configuration will not be locked.

ResolveValues

This boolean directive, when set to TRUE, enables name resolution for the following fields: $arch, $auid, $cmd, $egid, $euid, $fsgid, $fsuid, $gid, $mode, $new_gid, $oauid, $obj_gid, $obj_uid, $ogid, $ouid, $sauid, $sgid, $suid, $syscall and $uid. These fields will be converted to human-readable strings, similarly to how the ausearch tool resolves them. The xm_resolver module must be loaded for this to work. The default value for this directive is FALSE, meaning that fields will not be resolved.

Fields

The following fields are used by im_linuxaudit.

$raw_event (type: string): A list of event fields in key-value pairs.

$a0 (type: string): The first four arguments of the system call, encoded in hexadecimal notation.

$a1 (type: string): The second four arguments of the system call, encoded in hexadecimal notation.

$a2 (type: string): The third four arguments of the system call, encoded in hexadecimal notation.

$a3 (type: string): The fourth four arguments of the system call, encoded in hexadecimal notation.

$acct (type: string): A user’s account name.

$acl (type: string): Access mode of resource assigned to vm.

$action (type: integer): Netfilter packet disposition.

$added (type: integer): Number of new files detected.

$addr (type: string): The IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to.

$apparmor (type: string): Number of new files detected.

$arch (type: string): Information about the CPU architecture of the system, encoded in hexadecimal notation.

$argc (type: integer): The number of arguments to an execve syscall.

$audit_backlog_limit (type: integer): Audit system’s backlog queue size

$audit_backlog_wait_time (type: integer): Audit system’s backlog wait time

$audit_enabled (type: integer): Audit system’s enable/disable status.

$audit_failure (type: integer): Audit system’s failure mode

$auid (type: integer): The Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user’s identity changes (for example, by switching user accounts with su - john.

$banners (type: string): Banners used on printed page

$bool (type: string): Name of SELinux boolean

$bus (type: string): Name of subsystem bus a vm resource belongs to

$cap_fe (type: integer): Data related to the setting of a file assigned effective capability map

$cap_fi (type: integer): Data related to the setting of an inherited file system-based capability.

$cap_fp (type: integer): Data related to the setting of a permitted file system-based capability.

$cap_fver (type: integer): Data related to the setting of a file system capabilities version number

$cap_pa (type: integer): Data related to the setting of a process ambient capability map.

$cap_pe (type: integer): Data related to the setting of an effective process-based capability.

$cap_pi (type: integer): Data related to the setting of an inherited process-based capability.

$cap_pp (type: integer): Data related to the setting of a permitted process-based capability.

$capability (type: integer): The number of bits that were used to set a particular Linux capability. For more information on Linux capabilities, see the capabilities(7) man page.

$category (type: string): Resource category assigned to vm.

$cgroup (type: string): The path to the cgroup that contains the process at the time the Audit event was generated.

$changed (type: integer): Number of changed files.

$cipher (type: string): Name of crypto cipher selected.

$class (type: string): Resource class assigned to vm.

$cmd (type: string): The entire command line that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the cmd field records the rest of the command line that is executed, for example helloworld.sh --help.

$code (type: integer): Seccomp action code.

$comm (type: string): The command that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the comm field records the name of the script that is executed, for example helloworld.sh.

$compat (type: integer): is_compat_task result.

$cwd (type: string): The path to the directory in which a system call was invoked.

$daddr (type: string): Remote IP address.

$data (type: string): Data associated with TTY records.

$default-context (type: string): Default MAC context.

$dev (type: string): The minor and major ID of the device that contains the file or directory recorded in an event.

$device (type: string): Device name.

$devmajor (type: string): The major device ID.

$devminor (type: string): The minor device ID.

$dir (type: string): Directory name.

$direction (type: string): Direction of crypto operation.

$dmac (type: string): Remote MAC address.

$dport (type: integer): Remote port number.

$egid (type: integer): The effective group ID of the user who started the analyzed process.

$enforcing (type: integer): New MAC enforcement status.

$entries (type: integer): Number of entries in the netfilter table.

$errno (type: integer): Error code of the audited operation.

$euid (type: integer): The effective user ID of the user who started the analyzed process.

$exe (type: string): The path to the executable that was used to invoke the analyzed process.

$exit (type: integer): The exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: ausearch --interpret --exit exit_code

$fam (type: string): Socket address family.

$family (type: string): The type of address protocol that was used, either IPv4 or IPv6.

$fd (type: integer): File descriptor number.

$fe (type: integer): File assigned effective capability map.

$feature (type: string): Kernel feature being changed.

$fi (type: integer): File assigned inherited capability map.

$file (type: string): File name.

$filetype (type: string): The type of the file.

$flags (type: integer): The file system name flags.

$format (type: string): Audit log’s format.

$fp (type: string): File assigned permitted capability map.

$fsgid (type: integer): The file system group ID of the user who started the analyzed process.

$fsuid (type: integer): The file system user ID of the user who started the analyzed process.

$fver (type: integer): File system capabilities version number.

$gid (type: integer): The group ID.

$grantors (type: string): PAM modules approving the action.

$grp (type: string): Group name.

$hook (type: string): Netfilter hook that packet came from.

$hostname (type: string): The host name.

$icmp_type (type: integer): Type of icmp message.

$icmptype (type: string): The type of a Internet Control Message Protocol (ICMP) package that is received. Audit messages containing this field are usually generated by iptables.

$id (type: integer): The user ID of an account that was changed.

$igid (type: integer): IPC object’s group ID.

$img-ctx (type: string): The vm’s disk image context string.

$inif (type: integer): In interface number.

$ino (type: integer): Inode number.

$inode (type: integer): The inode number associated with the file or directory recorded in an Audit event.

$inode_gid (type: integer): The group ID of the inode’s owner.

$inode_uid (type: integer): The user ID of the inode’s owner.

$invalid_context (type: string): SELinux context.

$ioctlcmd (type: integer): The request argument to the ioctl syscall.

$ip (type: string): Network address of a printer.

$ipid (type: integer): IP datagram fragment identifier.

$ipx-net (type: integer): IPX network number.

$item (type: integer): Which item is being recorded.

$items (type: integer): The number of path records that are attached to this record.

$iuid (type: integer): IPC object’s user ID.

$kernel (type: string): Kernel’s version number.

$key (type: string): The user defined string associated with a rule that generated a particular event in the Audit log.

$kind (type: string): Server or client in crypto operation.

$ksize (type: integer): Key size for crypto operation.

$laddr (type: string): Local network address.

$len (type: integer): Length.

$list (type: string): The Audit rule list ID. The following is a list of known IDs: 0 — user 1 — task 4 — exit 5 — exclude.

$lport (type: string): Local network port.

$mac (type: string): Crypto MAC algorithm selected.

$macproto (type: integer): Ethernet packet type ID field.

$maj (type: integer): Device major number.

$major (type: integer): Device major number.

$minor (type: integer): Device minor number.

$mode (type: string): The file or directory permissions, encoded in numerical notation.

$model (type: string): Security model being used for virt.

$msg (type: string): A time stamp and a unique ID of a record, or various event-specific <name>=<value> pairs provided by the kernel or user-space applications.

$msgtype (type: string): The message type that is returned in case of a user-based AVC denial. The message type is determined by D-Bus.

$name (type: string): The full path of the file or directory that was passed to the system call as an argument.

$nametype (type: string): File name in avcs.

$nargs (type: integer): The number of arguments to a socket call.

$net (type: string): Network MAC address.

$new (type: integer): Value being set in feature.

$new-chardev (type: string): New character device being assigned to vm.

$new-disc (type: string): The name of a new disk resource that is assigned to a virtual machine.

$new-disk (type: string): Disk being added to vm.

$new-enabled (type: integer): New TTY audit enabled setting.

$new-fs (type: string): File system being added to vm.

$new-level (type: string): New run level.

$new-lock (type: integer): New value of feature lock.

$new-log_passwd (type: string): New value for TTY password logging.

$new-mem (type: integer): The amount of a new memory resource that is assigned to a virtual machine.

$new-net (type: string): The MAC address of a new network interface resource that is assigned to a virtual machine.

$new-pe (type: integer): New process effective capability map(deprec).

$new-pi (type: integer): New process inherited capability map(deprec).

$new-pp (type: integer): New process permitted capability map(deprec).

$new-range (type: string): New SELinux range.

$new-rng (type: string): Device name of rng being added from a vm.

$new-role (type: string): New SELinux role.

$new-seuser (type: string): New SELinux user.

$new-vcpu (type: integer): The number of a new virtual CPU resource that is assigned to a virtual machine.

$new_gid (type: integer): A group ID that is assigned to a user.

$nlnk-fam (type: integer): Netlink protocol number.

$nlnk-grp (type: integer): Netlink group number.

$nlnk-pid (type: integer): PID of netlink packet sender.

$oauid (type: integer): The user ID of the user that has logged in to access the system (as opposed to, for example, using su) and has started the target process. This field is exclusive to the record of type OBJ_PID.

$obj (type: string): The SELinux context of an object. An object can be a file, a directory, a socket, or anything that is receiving the action of a subject.

$obj_gid (type: integer): The group ID of an object.

$obj_lev_high (type: string): The high SELinux level of an object.

$obj_lev_low (type: string): The low SELinux level of an object.

$obj_role (type: string): The SELinux role of an object.

$obj_uid (type: integer): The UID of an object.

$obj_user (type: string): The user that is associated with an object.

$ocomm (type: string): The command that was used to start the target process.This field is exclusive to the record of type OBJ_PID.

$oflag (type: integer): Open syscall flags.

$ogid (type: integer): The object owner’s group ID.

$old (type: string): Present value of kernel feature.

$old-auid (type: integer): Previous auid value.

$old-chardev (type: string): Present character device assigned to vm.

$old-disk (type: string): The name of an old disk resource when a new disk resource is assigned to a virtual machine.

$old-enabled (type: integer): Present TTY audit enabled setting.

$old-enforcing (type: integer): Old MAC enforcement status.

$old-fs (type: string): File system being removed from vm.

$old-level (type: string): Old run level.

$old-lock (type: integer): Present value of feature lock.

$old-log_passwd (type: integer): Present value for TTY password logging.

$old-mem (type: integer): The amount of an old memory resource when a new amount of memory is assigned to a virtual machine.

$old-net (type: string): The MAC address of an old network interface resource when a new network interface is assigned to a virtual machine.

$old-range (type: string): Present SELinux range.

$old-rng (type: string): Device name of rng being removed from a vm.

$old-role (type: string): Present SELinux role.

$old-ses (type: integer): Previous ses value.

$old-seuser (type: string): Present SELinux user.

$old-vcpu (type: integer): The number of an old virtual CPU resource when a new virtual CPU is assigned to a virtual machine.

$old_pa (type: integer): Old process ambient capability map.

$old_pe (type: integer): Old process effective capability map.

$old_pi (type: integer): Old process inherited capability map.

$old_pp (type: integer): Old process permitted capability map.

$old_prom (type: integer): The previous value of the network promiscuity flag.

$old_val (type: integer): Current value of SELinux boolean.

$op (type: string): The operation being performed that is audited.

$opid (type: integer): The process ID of the target process. This field is exclusive to the record of type OBJ_PID.

$oses (type: string): The session ID of the target process. This field is exclusive to the record of type OBJ_PID.

$ouid (type: integer): Records the real user ID of the user who started the target process.

$outif (type: integer): Out interface number.

$pa (type: integer): Process ambient capability map.

$parent (type: integer): The inode number of the parent file.

$path (type: string): The full path of the file or directory that was passed to the system call as an argument in case of AVC-related Audit events.

$pe (type: integer): Process effective capability map.

$per (type: string): Linux personality.

$perm (type: string): The file permission that was used to generate an event (that is, read, write, execute, or attribute change).

$perm_mask (type: integer): File permission mask that triggered a watch event.

$permissive (type: integer): SELinux is in permissive mode.

$pfs (type: string): Perfect forward secrecy method.

$pi (type: integer): Process inherited capability map.

$pid (type: integer): The pid field semantics depend on the origin of the value in this field. In fields generated from user space, this field holds a process ID. In fields generated by the kernel, this field holds a thread ID. The thread ID is equal to process ID for single-threaded processes. Note that the value of this thread ID is different from the values of pthread_t IDs used in user space. For more information, see the gettid(2) man page.

$pp (type: integer): Process permitted capability map.

$ppid (type: integer): The Parent Process ID (PID).

$printer (type: string): Printer name.

$proctitle (type: string): Process title and command line parameters.

$prom (type: string): The network promiscuity flag.

$proto (type: string): The networking protocol that was used. This field is specific to Audit events generated by iptables.

$qbytes (type: integer): IPC objects quantity of bytes.

$range (type: string): User’s SE Linux range.

$rdev (type: integer): The device identifier (special files only).

$reason (type: string): Text string denoting a reason for the action.

$removed (type: integer): Number of deleted files.

$res (type: string): The result of the operation that triggered the Audit event.

$resrc (type: string): Resource being assigned.

$result (type: string): The result of the operation that triggered the Audit event.

$role (type: string): User’s SELinux role.

$rport (type: integer): Remote port number.

$saddr (type: string): The socket address.

$sauid (type: integer): The sender Audit login user ID. This ID is provided by D-Bus as the kernel is unable to see which user is sending the original auid.

$scontext (type: string): The subject’s context string.

$selected-context (type: string): New MAC context assigned to session.

$seperm (type: string): SELinux permission being decided on.

$seperms (type: string): SELinux permissions being used.

$seqno (type: integer): Sequence number.

$seresult (type: string): SELinux AVC decision granted/denied.

$ses (type: string): The session ID of the session from which the analyzed process was invoked.

$seuser (type: string): User’s SE Linux user acct.

$sgid (type: integer): The set group ID of the user who started the analyzed process.

$sig (type: string): The number of a signal that causes a program to end abnormally. Usually, this is a sign of a system intrusion.

$sigdev_signo (type: integer): Signal number.

$smac (type: integer): Local MAC address.

$spid (type: integer): Sent process ID.

$sport (type: integer): Local port number.

$state (type: string): Audit daemon configuration resulting state.

$subj (type: string): The SELinux context of a subject. A subject can be a process, a user, or anything that is acting upon an object.

$subj_clr (type: string): The SELinux clearance of a subject.

$subj_role (type: string): The SELinux role of a subject.

$subj_sen (type: string): The SELinux sensitivity of a subject.

$subj_user (type: string): The user that is associated with a subject.

$success (type: string): Whether a system call was successful or failed.

$suid (type: integer): The set user ID of the user who started the analyzed process.

$syscall (type: string): The type of the system call that was sent to the kernel.

$table (type: string): Netfilter table name.

$tclass (type: string): Target’s object classification.

$tcontext (type: string): The target’s or object’s context string.

$terminal (type: string): The terminal name (without /dev/).

$tty (type: string): The name of the controlling terminal. The value (none) is used if the process has no controlling terminal.

$type (type: string): The audit record’s type.

$uid (type: integer): the real user ID of the user who started the analyzed process.

$unit (type: string): Systemd unit.

$uri (type: string): URI pointing to a printer.

$user (type: string): Account submitted for authentication.

$uuid (type: string): A UUID.

$val (type: string): Generic value associated with the operation.

$ver (type: integer): Audit daemon’s version number.

$virt (type: string): Kind of virtualization being referenced.

$vm (type: string): The name of a virtual machine from which the Audit event originated.

$vm-ctx (type: string): The vm’s context string.

$vm-pid (type: integer): VM’s process ID.

$watch (type: string): File name in a watch record.

Examples

Example 1. Collecting audit logs with LoadRule directive

This configuration uses a set of external rule files to configure the Audit system.

nxlog.conf

<Input audit>
    Module      im_linuxaudit
    FlowControl FALSE
    LoadRule    'im_linuxaudit_*.rules'
</Input>

Example 2. Collecting audit logs with a rules block

This configuration lists the rules inside the NXLog configuration file instead of using a separate Audit rules file.

nxlog.conf

<Input audit>
    Module      im_linuxaudit
    FlowControl FALSE
    <Rules>
        # Watch /etc/passwd for modifications and tag with 'passwd'
        -w /etc/passwd -p wa -k passwd
    </Rules>
</Input>