diff --git a/linux_audit_logs/README.md b/linux_audit_logs/README.md index a8869151c214d..80b6653242eac 100644 --- a/linux_audit_logs/README.md +++ b/linux_audit_logs/README.md @@ -12,6 +12,7 @@ This integration provides enrichment and visualization for various log types, in - **User and group** management activities - **SELinux user** errors - **Access Vector Cache (AVC)** logs +- **System Call** logs It supports these logs across **Red Hat**, **Ubuntu**, and **CentOS** Linux operating systems. @@ -79,6 +80,25 @@ For Linux, run: sudo systemctl restart auditd ``` +### Set up Audit Rules (optional) + +1. Create or Edit the audit rules file: + ```shell + sudo nano /etc/audit/rules.d/audit.rules + ``` + +2. Configure the audit rules based on your requirements. For reference, see [audit rulesets][9]. + +3. Reload audit rules: + ```shell + sudo augenrules --load + ``` + +4. Verify loaded rules: + ```shell + sudo auditctl -l + ``` + ### Validation [Run the Agent's status subcommand][8] and look for `linux_audit_logs` under the Checks section. @@ -134,3 +154,4 @@ Need help? Contact [Datadog support][1]. [6]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install [7]: https://github.com/DataDog/integrations-core/blob/master/linux_audit_logs/datadog_checks/linux_audit_logs/data/conf.yaml.example [8]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[9]: https://github.com/Neo23x0/auditd/tree/master diff --git a/linux_audit_logs/assets/dashboards/linux_audit_logs_system_call.json b/linux_audit_logs/assets/dashboards/linux_audit_logs_system_call.json new file mode 100644 index 0000000000000..9127d49e9cc92 --- /dev/null +++ b/linux_audit_logs/assets/dashboards/linux_audit_logs_system_call.json @@ -0,0 +1,781 @@ +{ + "title": "Linux Audit Logs - System Call", + "description": "This dashboard provides insights into system calls activity.", + "widgets": [ + { + "id": 2014017260122817, + "definition": { + "type": "image", + "url": "https://static.datadoghq.com/static/images/logos/linux_large.svg", + "url_dark_theme": "https://static.datadoghq.com/static/images/logos/linux_reversed_large.svg", + "sizing": "cover", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 8393506909056929, + "definition": { + "type": "note", + "content": "**Overview**\n\nThis dashboard provides a comprehensive view of system-level operations (syscalls) captured through Linux audit logs. It helps monitor user activity, command execution, and system resource access patterns for security and compliance.\n\nFor more information, see the [Linux Audit Logs Integration Documentation](https://docs.datadoghq.com/integrations/linux_audit_logs/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 7626313237455157, + "definition": { + "title": "Total System Call Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_yellow", + "custom_bg_color": "#c6f0ec" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 5461026520235219, + "definition": { + "title": "System Call activities by Result over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@result", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "orange", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 3 + } + }, + { + "id": 6062871624871401, + "definition": { + "title": "Failed System Call Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL @success:no $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red", + "custom_bg_color": "#c6f0ec" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 4, + "height": 3 + } + }, + { + "id": 2349259319255980, + "definition": { + "title": "Most Frequent System Call by Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@SYSCALL", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 6, + "width": 8, + "height": 3 + } + }, + { + "id": 268435590479625, + "definition": { + "title": "Top Users Performing System Call by Result", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@result", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 4591978141840078, + "definition": { + "title": "Top System Call Commands by Result", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@comm", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@result", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 1377943291970987, + "definition": { + "title": "Top System Call User Groups by Result", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@GID", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@result", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 8547786659125490, + "definition": { + "title": "Top Executable Path for System Call by Result", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@exe", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@result", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 6, + "height": 4 + } + }, + { + "id": 727319760658928, + "definition": { + "title": "Top Audit Rule Keys by Result", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@key", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@result", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 13, + "width": 6, + "height": 4 + } + }, + { + "id": 6402915249152484, + "definition": { + "title": "System Call Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:linux-audit-logs service:linux-audit-logs @type:SYSCALL $Result $Key $User-Name $Command", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "result", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Result", + "prefix": "@result", + "available_values": [], + "default": "*" + }, + { + "name": "Key", + "prefix": "@key", + "available_values": [], + "default": "*" + }, + { + "name": "User-Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "Command", + "prefix": "@comm", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/linux_audit_logs/assets/logs/linux-audit-logs.yaml b/linux_audit_logs/assets/logs/linux-audit-logs.yaml index 91011007a61e0..d6125f2dc1751 100644 --- a/linux_audit_logs/assets/logs/linux-audit-logs.yaml +++ b/linux_audit_logs/assets/logs/linux-audit-logs.yaml @@ -117,9 +117,14 @@ pipeline: subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 - pid=12243 uid=0 auid=1001 ses=535 subj=unconfined - apparmor="ALLOWED" + - arch=c000003e syscall=257 success=yes exit=13 a0=ffffffffffffff9c + a1=c0012fe0c0 a2=80000 a3=0 items=1 ppid=1 pid=1055 auid=4294967295 + uid=111 gid=111 euid=111 suid=111 fsuid=111 egid=111 sgid=111 + fsgid=111 tty=(none) ses=4294967295 comm="agent" + exe="/opt/datadog-agent/bin/agent/agent" subj=unconfined key=(null) grok: supportRules: "" - matchRules: parse_pre_msg_kv_rule %{data::keyvalue("=",":?/\"|*<>,")} + matchRules: parse_pre_msg_kv_rule %{data::keyvalue("=",":?/\"|*<>,()")} - type: grok-parser name: Parsing `msg_raw` attribute enabled: true @@ -145,7 +150,7 @@ pipeline: pid=838 comm="rsyslogd" capability=12 capname="net_admin" grok: supportRules: >- - extract_kv_pair %{data::keyvalue("=",":?/\"|*<>,")} + extract_kv_pair %{data::keyvalue("=",":?/\"|*<>,()")} extract_UID_or_OUID_or_FSUID_or_SAUID_SUID (UID="%{regex("[^\"]*"):UID}"|OUID="%{regex("[^\"]*"):OUID}"|FSUID="%{regex("[^\"]*"):FSUID}"|SAUID="%{regex("[^\"]*"):SAUID}"|SUID="%{regex("[^\"]*"):SUID}") @@ -242,6 +247,20 @@ pipeline: targetType: attribute preserveSource: false overrideOnConflict: false + - type: pipeline + name: Parsing SYSCALL logs + enabled: true + filter: + query: "@type:SYSCALL" + processors: + - name: Lookup on `success` to `result` Field + enabled: true + source: success + target: result + lookupTable: |- + yes,success + no,failed + type: lookup-processor - type: grok-parser name: Convert `msg.grantors` attribute to array enabled: true diff --git a/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml b/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml index 9a26ac78c437c..17fd9584cf18e 100644 --- a/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml +++ b/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml @@ -262,4 +262,57 @@ tests: status: "ok" tags: - "source:LOGS_SOURCE" - timestamp: 1740980591704 \ No newline at end of file + timestamp: 1740980591704 + - + sample: "type=SYSCALL msg=audit(1747642001.320:8116): arch=c000003e syscall=192 success=no exit=-61 a0=7ffd2507073f a1=70ad74e0f197 a2=61ca25006a90 a3=ff items=1 ppid=21718 pid=22639 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=24 comm=\"ls\" exe=\"/usr/bin/ls\" subj=unconfined key=\"auditlog\"\x1dARCH=x86_64 SYSCALL=lgetxattr AUID=\"devuser\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"" + result: + custom: + ARCH: "x86_64" + AUID: "devuser" + EGID: "root" + EUID: "root" + FSGID: "root" + FSUID: "root" + GID: "root" + SGID: "root" + SUID: "root" + SYSCALL: "lgetxattr" + a0: "7ffd2507073f" + a1: "70ad74e0f197" + a2: "61ca25006a90" + a3: "ff" + arch: "c000003e" + auid: 1002 + comm: "ls" + egid: 0 + euid: 0 + event_id: 8116 + exe: "/usr/bin/ls" + exit: -61 + fsgid: 0 + fsuid: 0 + gid: 0 + items: 1 + key: "auditlog" + msg_raw: "" + pid: 22639 + post_msg_kv: "" + ppid: 21718 + pre_msg_kv: "" + result: "failed" + ses: 24 + sgid: 0 + subj: "unconfined" + success: "no" + suid: 0 + syscall: 192 + timestamp: 1.74764200132E12 + tty: "pts5" + type: "SYSCALL" + usr: + id: 0 + name: "root" + message: "type=SYSCALL msg=audit(1747642001.320:8116): arch=c000003e syscall=192 success=no exit=-61 a0=7ffd2507073f a1=70ad74e0f197 a2=61ca25006a90 a3=ff items=1 ppid=21718 pid=22639 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=24 comm=\"ls\" exe=\"/usr/bin/ls\" subj=unconfined key=\"auditlog\"\x1dARCH=x86_64 SYSCALL=lgetxattr AUID=\"devuser\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"" + tags: + - "source:LOGS_SOURCE" + timestamp: 1747642001320 \ No newline at end of file diff --git a/linux_audit_logs/images/linux_audit_logs_system_call.png b/linux_audit_logs/images/linux_audit_logs_system_call.png new file mode 100644 index 0000000000000..d7ee19deb27d7 Binary files /dev/null and b/linux_audit_logs/images/linux_audit_logs_system_call.png differ diff --git a/linux_audit_logs/manifest.json b/linux_audit_logs/manifest.json index a9077b62e8929..d334074e22a62 100644 --- a/linux_audit_logs/manifest.json +++ b/linux_audit_logs/manifest.json @@ -30,6 +30,11 @@ "caption": "Linux Audit Logs - Overview", "image_url": "images/linux_audit_logs_overview_4.png", "media_type": "image" + }, + { + "caption": "Linux Audit Logs - System Call", + "image_url": "images/linux_audit_logs_system_call.png", + "media_type": "image" } ], "classifier_tags": [ @@ -54,7 +59,8 @@ } }, "dashboards": { - "Linux Audit Logs - Overview": "assets/dashboards/linux_audit_logs_overview.json" + "Linux Audit Logs - Overview": "assets/dashboards/linux_audit_logs_overview.json", + "Linux Audit Logs - System Call": "assets/dashboards/linux_audit_logs_system_call.json" }, "logs": { "source": "linux-audit-logs" @@ -66,4 +72,4 @@ "homepage": "https://www.datadoghq.com", "sales_email": "info@datadoghq.com" } -} +} \ No newline at end of file