From ac244fbfbdeb0944b2b1f84f171b583c0beb828b Mon Sep 17 00:00:00 2001 From: Cepolation-Datadog <86613440+cepolation-datadog@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:47:03 -0500 Subject: [PATCH] Linux Audit Logs: OCSF pipeline style guide fixes (#24304) * Apply OCSF style guide fixes to linux audit logs pipeline. Co-Authored-By: Claude Sonnet 4.6 * Fix EXECVE actor mapper and facet conflicts flagged by CI. Add ocsf.actor.app_name self-map to Process Activity EXECVE pipeline so the backend validator sees at least one actor mapper. Fix three facet definitions conflicting with other integrations: rename ocsf.device.ip to "Device IP", add facetType/type to ocsf.dst_endpoint.port and ocsf.time. --------- Co-authored-by: Claude Sonnet 4.6 --- .../assets/logs/linux-audit-logs.yaml | 2115 +++++++++-------- .../assets/logs/linux-audit-logs_tests.yaml | 173 +- 2 files changed, 1284 insertions(+), 1004 deletions(-) diff --git a/linux_audit_logs/assets/logs/linux-audit-logs.yaml b/linux_audit_logs/assets/logs/linux-audit-logs.yaml index 2ee31c723e274..f8fcbd12b7871 100644 --- a/linux_audit_logs/assets/logs/linux-audit-logs.yaml +++ b/linux_audit_logs/assets/logs/linux-audit-logs.yaml @@ -54,14 +54,11 @@ facets: name: User Name path: usr.name source: log - - description: '' - facetType: list - groups: + - groups: - Linux Audit Logs name: Config path: linux_audit_logs.bool source: log - type: string - groups: - OCSF name: Activity Name @@ -69,29 +66,203 @@ facets: source: log - groups: - OCSF - name: Severity - path: ocsf.severity + name: Actor Application Name + path: ocsf.actor.app_name + source: log + - groups: + - OCSF + name: Actor Process Name + path: ocsf.actor.process.name + source: log + - groups: + - OCSF + name: Actor Process Path + path: ocsf.actor.process.path + source: log + - groups: + - OCSF + name: Actor Process ID + path: ocsf.actor.process.pid + source: log + - groups: + - OCSF + name: Actor Process User Name + path: ocsf.actor.process.user.name + source: log + - groups: + - OCSF + name: Actor Process User Unique ID + path: ocsf.actor.process.user.uid + source: log + - groups: + - OCSF + name: Actor Session Terminal + path: ocsf.actor.session.terminal + source: log + - groups: + - OCSF + name: Session Unique ID + path: ocsf.actor.session.uid + source: log + - groups: + - OCSF + name: Name + path: ocsf.actor.user.name + source: log + - groups: + - OCSF + name: Unique ID + path: ocsf.actor.user.uid + source: log + - groups: + - OCSF + name: Device Hostname + path: ocsf.device.hostname source: log - groups: - OCSF - name: Device Type - path: ocsf.device.type + name: Device IP + path: ocsf.device.ip source: log - groups: - OCSF - name: File Type - path: ocsf.file.type + name: Device Name + path: ocsf.device.name + source: log + - groups: + - OCSF + name: Device OS Name + path: ocsf.device.os.name + source: log + - groups: + - OCSF + name: Device Unique ID + path: ocsf.device.uid + source: log + - groups: + - OCSF + name: Dst Endpoint Hostname + path: ocsf.dst_endpoint.hostname + source: log + - groups: + - OCSF + name: Destination IP Address + path: ocsf.dst_endpoint.ip + source: log + - groups: + - OCSF + name: Destination Endpoint Name + path: ocsf.dst_endpoint.name + source: log + - facetType: range + groups: + - OCSF + name: Dst Endpoint Port + path: ocsf.dst_endpoint.port + source: log + type: integer + - groups: + - OCSF + name: File Extension + path: ocsf.file.ext source: log - groups: - OCSF name: File Name path: ocsf.file.name source: log + - groups: + - OCSF + name: File Path + path: ocsf.file.path + source: log + - groups: + - OCSF + name: File Unique ID + path: ocsf.file.uid + source: log + - groups: + - OCSF + name: Group Name + path: ocsf.group.name + source: log + - groups: + - OCSF + name: Group Unique ID + path: ocsf.group.uid + source: log + - groups: + - OCSF + name: Event Code + path: ocsf.metadata.event_code + source: log + - groups: + - OCSF + name: Metadata Original Time + path: ocsf.metadata.original_time + source: log + - groups: + - OCSF + name: Product Name + path: ocsf.metadata.product.name + source: log + - groups: + - OCSF + name: Vendor Name + path: ocsf.metadata.product.vendor_name + source: log + - groups: + - OCSF + name: Metadata Event UID + path: ocsf.metadata.uid + source: log + - groups: + - OCSF + name: Privileges + path: ocsf.privileges + source: log + - groups: + - OCSF + name: Process Command Line + path: ocsf.process.cmd_line + source: log - groups: - OCSF name: Process Name path: ocsf.process.name source: log + - groups: + - OCSF + name: Process Path + path: ocsf.process.path + source: log + - groups: + - OCSF + name: Process ID + path: ocsf.process.pid + source: log + - groups: + - OCSF + name: Process Unique ID + path: ocsf.process.uid + source: log + - facetType: range + groups: + - OCSF + name: Event Time + path: ocsf.time + source: log + type: integer + - groups: + - OCSF + name: Target Name + path: ocsf.user.name + source: log + - groups: + - OCSF + name: Target Unique ID + path: ocsf.user.uid + source: log pipeline: type: pipeline name: Linux Audit Logs @@ -439,6 +610,8 @@ pipeline: - type: pipeline name: OCSF pre transformations enabled: true + ocsf: + isOcsf: true filter: query: "@type:(ADD_GROUP OR DEL_GROUP OR ADD_USER OR DEL_USER OR USER_CHAUTHTOK OR USER_AUTH OR ROLE_ASSIGN OR ROLE_REMOVE OR PATH OR USER_ROLE_CHANGE @@ -485,157 +658,6 @@ pipeline: expression: timestamp/1000 target: original_timestamp replaceMissing: false - - type: pipeline - name: OCSF sub pipeline for class Base Event [0] - enabled: true - ocsf: - isOcsf: true - filter: - query: "@type:(USER_ROLE_CHANGE OR USER_SELINUX_ERR OR DAEMON_CONFIG OR DAEMON_ABORT OR MAC_CONFIG_CHANGE OR MAC_STATUS OR MAC_POLICY_LOAD OR AVC OR CONFIG_CHANGE)" - processors: - - type: schema-processor - name: Apply OCSF schema for 0 - enabled: true - schema: - schemaType: ocsf - version: 1.5.0 - className: Base Event - classUid: 0 - extensions: [] - profiles: - - host - mappers: - - name: ocsf.activity_id - categories: - - filter: - query: "*" - name: Other - id: 99 - targets: - name: ocsf.activity_name - id: ocsf.activity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.severity_id - categories: - - filter: - query: "*" - name: Informational - id: 1 - targets: - name: ocsf.severity - id: ocsf.severity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.status_id - categories: - - filter: - query: '@msg.res:("success" OR 1)' - name: Success - id: 1 - - filter: - query: '@msg.res:("failed" OR 2)' - name: Failure - id: 2 - targets: - name: ocsf.status - id: ocsf.status_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: Map `timestamp` to `ocsf.time` - sources: - - timestamp - sourceType: attribute - target: ocsf.time - targetFormat: integer - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` - sources: - - ocsf.metadata.product.name - sourceType: attribute - target: ocsf.metadata.product.name - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` - sources: - - ocsf.metadata.product.vendor_name - sourceType: attribute - target: ocsf.metadata.product.vendor_name - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `type` to `ocsf.metadata.event_code` - sources: - - type - sourceType: attribute - target: ocsf.metadata.event_code - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `event_id` to `ocsf.metadata.uid` - sources: - - event_id - sourceType: attribute - target: ocsf.metadata.uid - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `original_timestamp` to `ocsf.metadata.original_time` - sources: - - original_timestamp - sourceType: attribute - target: ocsf.metadata.original_time - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `type` to `ocsf.activity_name` - sources: - - type - sourceType: attribute - target: ocsf.activity_name - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: ocsf.device.os.type_id - categories: - - filter: - query: "*" - name: Linux - id: 200 - targets: - name: ocsf.device.os.type - id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.device.type_id - categories: - - filter: - query: "*" - name: Unknown - id: 0 - targets: - name: ocsf.device.type - id: ocsf.device.type_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - type: pipeline name: OCSF sub pipeline for class File System Activity [1001] enabled: true @@ -738,12 +760,13 @@ pipeline: query: "@mode:[120000 TO 127777]" name: Symbolic Link id: 3 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.file.type id: ocsf.file.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -754,9 +777,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -767,9 +787,6 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -873,7 +890,7 @@ pipeline: sourceType: attribute target: ocsf.actor.user.uid targetFormat: string - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `OUID` to `ocsf.actor.user.name` @@ -882,6 +899,24 @@ pipeline: sourceType: attribute target: ocsf.actor.user.name targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper @@ -894,9 +929,6 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline name: OCSF sub pipeline for class File System Activity [1001] from SYSCALL @@ -979,7 +1011,9 @@ pipeline: values: ocsf.activity_id: "99" ocsf.activity_name: Other - sources: {} + sources: + ocsf.activity_name: + - SYSCALL type: schema-category-mapper - name: ocsf.severity_id categories: @@ -990,9 +1024,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -1003,9 +1034,6 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.file.type_id categories: @@ -1016,9 +1044,6 @@ pipeline: targets: name: ocsf.file.type id: ocsf.file.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.status_id categories: @@ -1033,9 +1058,6 @@ pipeline: targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -1172,6 +1194,24 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper - name: ocsf.device.os.type_id categories: - filter: @@ -1181,9 +1221,6 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline name: OCSF sub pipeline for class Module Activity [1005] @@ -1225,9 +1262,6 @@ pipeline: targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.module.load_type_id categories: @@ -1238,9 +1272,6 @@ pipeline: targets: name: ocsf.module.load_type id: ocsf.module.load_type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -1251,9 +1282,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -1264,9 +1292,6 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.status_id categories: @@ -1281,9 +1306,6 @@ pipeline: targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -1420,6 +1442,24 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper - name: ocsf.device.os.type_id categories: - filter: @@ -1429,30 +1469,105 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline - name: OCSF sub pipeline for class Account Change [3001] + name: OCSF sub pipeline for class Process Activity [1007] for EXECVE enabled: true ocsf: isOcsf: true filter: - query: "@type:(ADD_USER OR DEL_USER OR USER_CHAUTHTOK)" + query: "@type:EXECVE" processors: + - type: grok-parser + name: Extract process name from `a0` + enabled: true + source: a0 + samples: + - /usr/bin/bash + - /bin/sh + - python3 + grok: + supportRules: path_component (/%{regex("[^/]*")}) + matchRules: >- + rule_extract_process_name %{path_component}*/%{notSpace:ocsf.process.name} + + rule_no_path %{notSpace:ocsf.process.name} + - type: string-builder-processor + name: Build `ocsf.process.cmd_line` from EXECVE arguments + enabled: true + template: "%{a0} %{a1} %{a2} %{a3} %{a4} %{a5} %{a6} %{a7} %{a8} %{a9}" + target: ocsf.process.cmd_line + replaceMissing: true + - type: grok-parser + name: Trim trailing spaces from `ocsf.process.cmd_line` + enabled: true + source: ocsf.process.cmd_line + samples: + - "bash -c echo hello" + - "bash " + grok: + supportRules: "" + matchRules: >- + trim_rule %{regex("[^\\s].*[^\\s]|[^\\s]"):ocsf.process.cmd_line} + - type: string-builder-processor + name: Set `ocsf.device.name` to Unknown + enabled: true + template: Unknown + target: ocsf.device.name + replaceMissing: false + - type: string-builder-processor + name: Set `ocsf.actor.app_name` to Unknown + enabled: true + template: Unknown + target: ocsf.actor.app_name + replaceMissing: false + - type: string-builder-processor + name: Set `ocsf.process.uid` to Unknown + enabled: true + template: Unknown + target: ocsf.process.uid + replaceMissing: false - type: schema-processor - name: Apply OCSF schema for 3001 + name: Apply OCSF schema for 1007 enabled: true schema: schemaType: ocsf version: 1.5.0 - className: Account Change - classUid: 3001 + className: Process Activity + classUid: 1007 extensions: [] - profiles: - - host + profiles: [] mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "*" + name: Launch + id: 1 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + type: schema-category-mapper + - name: ocsf.device.type_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.device.type + id: ocsf.device.type_id + type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: - timestamp @@ -1467,6 +1582,16 @@ pipeline: - ocsf.metadata.product.name sourceType: attribute target: ocsf.metadata.product.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper @@ -1488,135 +1613,507 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` - sources: - - ocsf.metadata.product.vendor_name - sourceType: attribute - target: ocsf.metadata.product.vendor_name - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `pid` to `ocsf.actor.process.pid` - sources: - - pid - sourceType: attribute - target: ocsf.actor.process.pid - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `uid` to `ocsf.actor.process.user.uid` + - name: Map `original_timestamp` to `ocsf.metadata.original_time` sources: - - uid + - original_timestamp sourceType: attribute - target: ocsf.actor.process.user.uid + target: ocsf.metadata.original_time targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `auid` to `ocsf.actor.user.uid` + - name: Map `a0` to `ocsf.process.path` sources: - - auid + - a0 sourceType: attribute - target: ocsf.actor.user.uid + target: ocsf.process.path targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `ses` to `ocsf.actor.session.uid` + - name: Map `ocsf.process.name` to `ocsf.process.name` sources: - - ses + - ocsf.process.name sourceType: attribute - target: ocsf.actor.session.uid + target: ocsf.process.name targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `AUID` to `ocsf.actor.user.name` - sources: - - AUID - sourceType: attribute - target: ocsf.actor.user.name - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `UID` to `ocsf.actor.process.user.name` - sources: - - UID - sourceType: attribute - target: ocsf.actor.process.user.name preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `msg.acct`, `ID` to `ocsf.user.name` + - name: Map `ocsf.process.cmd_line` to `ocsf.process.cmd_line` sources: - - msg.acct - - ID + - ocsf.process.cmd_line sourceType: attribute - target: ocsf.user.name + target: ocsf.process.cmd_line targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `msg.id` to `ocsf.user.uid` + - name: Map `ocsf.actor.app_name` to `ocsf.actor.app_name` sources: - - msg.id + - ocsf.actor.app_name sourceType: attribute - target: ocsf.user.uid + target: ocsf.actor.app_name targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `msg.terminal` to `ocsf.actor.session.terminal` + - name: Map `ocsf.device.name` to `ocsf.device.name` sources: - - msg.terminal + - ocsf.device.name sourceType: attribute - target: ocsf.actor.session.terminal - preserveSource: true + target: ocsf.device.name + targetFormat: string + preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `msg.exe` to `ocsf.actor.process.path` + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` sources: - - msg.exe + - ocsf.device.os.name sourceType: attribute - target: ocsf.actor.process.path + target: ocsf.device.os.name targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - - name: ocsf.activity_id - categories: - - filter: - query: "@type:ADD_USER" - name: Create - id: 1 - - filter: - query: "@type:DEL_USER" - name: Delete - id: 6 - - filter: - query: "@type:USER_CHAUTHTOK" - name: Password Change - id: 3 - targets: - name: ocsf.activity_name - id: ocsf.activity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.severity_id + - name: ocsf.device.os.type_id categories: - filter: query: "*" - name: Informational - id: 1 + name: Linux + id: 200 targets: - name: ocsf.severity - id: ocsf.severity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper + name: ocsf.device.os.type + id: ocsf.device.os.type_id + type: schema-category-mapper + - type: pipeline + name: OCSF sub pipeline for class Process Activity [1007] from SYSCALL + enabled: true + ocsf: + isOcsf: true + filter: + query: "@type:SYSCALL AND @SYSCALL:execve" + processors: + - type: string-builder-processor + name: Set `ocsf.device.name` to Unknown + enabled: true + template: Unknown + target: ocsf.device.name + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 1007 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: Process Activity + classUid: 1007 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "*" + name: Launch + id: 1 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + type: schema-category-mapper + - name: ocsf.device.type_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.device.type + id: ocsf.device.type_id + type: schema-category-mapper + - name: ocsf.status_id + categories: + - filter: + query: "@success:yes" + name: Success + id: 1 + - filter: + query: "@success:no" + name: Failure + id: 2 + targets: + name: ocsf.status + id: ocsf.status_id + type: schema-category-mapper + - name: Map `timestamp` to `ocsf.time` + sources: + - timestamp + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `type` to `ocsf.metadata.event_code` + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `event_id` to `ocsf.metadata.uid` + sources: + - event_id + sourceType: attribute + target: ocsf.metadata.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `original_timestamp` to `ocsf.metadata.original_time` + sources: + - original_timestamp + sourceType: attribute + target: ocsf.metadata.original_time + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `exe` to `ocsf.process.path` + sources: + - exe + sourceType: attribute + target: ocsf.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `comm` to `ocsf.process.name` + sources: + - comm + sourceType: attribute + target: ocsf.process.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `pid` to `ocsf.process.pid` + sources: + - pid + sourceType: attribute + target: ocsf.process.pid + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `exe` to `ocsf.actor.process.path` + sources: + - exe + sourceType: attribute + target: ocsf.actor.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `pid` to `ocsf.actor.process.pid` + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `uid` to `ocsf.actor.process.user.uid` + sources: + - uid + sourceType: attribute + target: ocsf.actor.process.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `UID` to `ocsf.actor.process.user.name` + sources: + - UID + sourceType: attribute + target: ocsf.actor.process.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `auid` to `ocsf.actor.user.uid` + sources: + - auid + sourceType: attribute + target: ocsf.actor.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `AUID` to `ocsf.actor.user.name` + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ses` to `ocsf.actor.session.uid` + sources: + - ses + sourceType: attribute + target: ocsf.actor.session.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `tty` to `ocsf.actor.session.terminal` + sources: + - tty + sourceType: attribute + target: ocsf.actor.session.terminal + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: ocsf.device.os.type_id + categories: + - filter: + query: "*" + name: Linux + id: 200 + targets: + name: ocsf.device.os.type + id: ocsf.device.os.type_id + type: schema-category-mapper + - type: pipeline + name: OCSF sub pipeline for class Account Change [3001] + enabled: true + ocsf: + isOcsf: true + filter: + query: "@type:(ADD_USER OR DEL_USER OR USER_CHAUTHTOK)" + processors: + - type: schema-processor + name: Apply OCSF schema for 3001 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: Account Change + classUid: 3001 + extensions: [] + profiles: + - host + mappers: + - name: Map `timestamp` to `ocsf.time` + sources: + - timestamp + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `type` to `ocsf.metadata.event_code` + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `event_id` to `ocsf.metadata.uid` + sources: + - event_id + sourceType: attribute + target: ocsf.metadata.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `pid` to `ocsf.actor.process.pid` + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `uid` to `ocsf.actor.process.user.uid` + sources: + - uid + sourceType: attribute + target: ocsf.actor.process.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `auid` to `ocsf.actor.user.uid` + sources: + - auid + sourceType: attribute + target: ocsf.actor.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ses` to `ocsf.actor.session.uid` + sources: + - ses + sourceType: attribute + target: ocsf.actor.session.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `AUID` to `ocsf.actor.user.name` + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `UID` to `ocsf.actor.process.user.name` + sources: + - UID + sourceType: attribute + target: ocsf.actor.process.user.name + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `msg.acct`, `ID` to `ocsf.user.name` + sources: + - msg.acct + - ID + sourceType: attribute + target: ocsf.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `msg.id` to `ocsf.user.uid` + sources: + - msg.id + sourceType: attribute + target: ocsf.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `msg.terminal` to `ocsf.actor.session.terminal` + sources: + - msg.terminal + sourceType: attribute + target: ocsf.actor.session.terminal + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `msg.exe` to `ocsf.actor.process.path` + sources: + - msg.exe + sourceType: attribute + target: ocsf.actor.process.path + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.activity_id + categories: + - filter: + query: "@type:ADD_USER" + name: Create + id: 1 + - filter: + query: "@type:DEL_USER" + name: Delete + id: 6 + - filter: + query: "@type:USER_CHAUTHTOK" + name: Password Change + id: 3 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + type: schema-category-mapper - name: ocsf.status_id categories: - filter: @@ -1627,12 +2124,13 @@ pipeline: query: "@msg.res:failed" name: Failure id: 2 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -1643,11 +2141,8 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - - name: Set `ocsf.device.name` to Unknown when hostname is absent + - name: ocsf.device.name categories: - filter: query: "-@msg.hostname:*" @@ -1656,9 +2151,6 @@ pipeline: targets: name: ocsf.device.name id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `msg.hostname` to `ocsf.device.hostname` sources: @@ -1687,6 +2179,24 @@ pipeline: preserveSource: false overrideOnConflict: true type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper - name: ocsf.device.os.type_id categories: - filter: @@ -1696,9 +2206,6 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline name: OCSF sub pipeline for class Authentication [3002] @@ -1729,9 +2236,6 @@ pipeline: targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -1742,9 +2246,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.status_id categories: @@ -1756,12 +2257,13 @@ pipeline: query: "@msg.res:failed" name: Failure id: 2 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -1772,11 +2274,8 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - - name: Set `ocsf.device.name` to Unknown when hostname is absent + - name: ocsf.device.name categories: - filter: query: "-@msg.hostname:*" @@ -1785,9 +2284,6 @@ pipeline: targets: name: ocsf.device.name id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -1907,7 +2403,7 @@ pipeline: - UID sourceType: attribute target: ocsf.actor.process.user.name - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `uid` to `ocsf.actor.process.user.uid` @@ -1916,7 +2412,7 @@ pipeline: sourceType: attribute target: ocsf.actor.process.user.uid targetFormat: string - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `msg.exe` to `ocsf.actor.process.path` @@ -1964,6 +2460,24 @@ pipeline: preserveSource: false overrideOnConflict: true type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper - name: ocsf.device.os.type_id categories: - filter: @@ -1973,12 +2487,9 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline - name: OCSF sub pipeline for role assign logs + name: Pre-process role assign logs enabled: true filter: query: "@type:ROLE_ASSIGN" @@ -1993,7 +2504,7 @@ pipeline: supportRules: "" matchRules: rule_convert_role_into_array %{data:ocsf.privileges:array} - type: pipeline - name: OCSF sub pipeline for role remove logs + name: Pre-process role remove logs enabled: true filter: query: "@type:ROLE_REMOVE" @@ -2087,7 +2598,7 @@ pipeline: sourceType: attribute target: ocsf.actor.process.user.uid targetFormat: string - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `UID` to `ocsf.actor.process.user.name` @@ -2096,7 +2607,7 @@ pipeline: sourceType: attribute target: ocsf.actor.process.user.name targetFormat: string - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `auid` to `ocsf.actor.user.uid` @@ -2166,9 +2677,6 @@ pipeline: targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -2179,9 +2687,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.status_id categories: @@ -2193,12 +2698,13 @@ pipeline: query: "@msg.res:failed" name: Failure id: 2 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -2209,11 +2715,8 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - - name: Set `ocsf.device.name` to Unknown when hostname is absent + - name: ocsf.device.name categories: - filter: query: "-@msg.hostname:*" @@ -2222,9 +2725,6 @@ pipeline: targets: name: ocsf.device.name id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `msg.hostname` to `ocsf.device.hostname` sources: @@ -2271,6 +2771,24 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper - name: ocsf.device.os.type_id categories: - filter: @@ -2280,9 +2798,6 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline name: OCSF sub pipeline for class Group Management [3006] @@ -2370,7 +2885,7 @@ pipeline: sourceType: attribute target: ocsf.actor.process.user.uid targetFormat: string - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `auid` to `ocsf.actor.user.uid` @@ -2404,7 +2919,7 @@ pipeline: - UID sourceType: attribute target: ocsf.actor.process.user.name - preserveSource: false + preserveSource: true overrideOnConflict: true type: schema-remapper - name: Map `msg.id` to `ocsf.group.uid` @@ -2435,20 +2950,17 @@ pipeline: type: schema-remapper - name: ocsf.activity_id categories: - - filter: - query: "@type:ADD_GROUP" - name: Create - id: 6 - filter: query: "@type:DEL_GROUP" name: Delete id: 5 + - filter: + query: "@type:ADD_GROUP" + name: Create + id: 6 targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -2459,9 +2971,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.status_id categories: @@ -2473,12 +2982,13 @@ pipeline: query: "@msg.res:failed" name: Failure id: 2 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -2489,11 +2999,8 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - - name: Set `ocsf.device.name` to Unknown when hostname is absent + - name: ocsf.device.name categories: - filter: query: "-@msg.hostname:*" @@ -2502,9 +3009,6 @@ pipeline: targets: name: ocsf.device.name id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `msg.hostname` to `ocsf.device.hostname` sources: @@ -2533,6 +3037,24 @@ pipeline: preserveSource: false overrideOnConflict: true type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper - name: ocsf.device.os.type_id categories: - filter: @@ -2542,41 +3064,47 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline - name: OCSF sub pipeline for class Device Config State Change [5019] + name: OCSF sub pipeline for class Network Activity [4001] from SOCKADDR enabled: true ocsf: isOcsf: true filter: - query: "@type:USER_MAC_CONFIG_CHANGE" + query: "@type:SOCKADDR AND @laddr:*" processors: + - type: grok-parser + name: Extract laddr and lport from SOCKADDR saddr field + enabled: true + source: message + samples: + - "type=SOCKADDR msg=audit(1770316388.442:354317): saddr={ fam=inet laddr=1.2.3.4\ + \ lport=4444 }" + grok: + supportRules: "" + matchRules: >- + saddr_inet %{data}laddr=%{notSpace:laddr} lport=%{integer:lport}%{data} - type: schema-processor - name: Apply OCSF schema for 5019 + name: Apply OCSF schema for 4001 enabled: true schema: schemaType: ocsf version: 1.5.0 - className: Device Config State Change - classUid: 5019 + className: Network Activity + classUid: 4001 extensions: [] - profiles: [] + profiles: + - host mappers: - name: ocsf.activity_id categories: - filter: query: "*" - name: Log + name: Open id: 1 targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -2587,52 +3115,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.device.type_id - categories: - - filter: - query: "*" - name: Unknown - id: 0 - targets: - name: ocsf.device.type - id: ocsf.device.type_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: Set `ocsf.device.name` to Unknown when hostname is absent - categories: - - filter: - query: "-@msg.hostname:*" - name: Unknown - id: 0 - targets: - name: ocsf.device.name - id: ocsf.device.type_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.status_id - categories: - - filter: - query: "@msg.res:success" - name: Success - id: 1 - - filter: - query: "@msg.res:failed" - name: Failure - id: 2 - targets: - name: ocsf.status - id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -2643,130 +3125,85 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `type` to `ocsf.metadata.event_code` - sources: - - type - sourceType: attribute - target: ocsf.metadata.event_code - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `event_id` to `ocsf.metadata.uid` + - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` sources: - - event_id + - ocsf.metadata.product.name sourceType: attribute - target: ocsf.metadata.uid + target: ocsf.metadata.product.name targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `original_timestamp` to `ocsf.metadata.original_time` - sources: - - original_timestamp - sourceType: attribute - target: ocsf.metadata.original_time - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `msg.hostname` to `ocsf.device.hostname` + - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` sources: - - msg.hostname + - ocsf.metadata.product.vendor_name sourceType: attribute - target: ocsf.device.hostname + target: ocsf.metadata.product.vendor_name targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `msg.addr` to `ocsf.device.ip` - sources: - - msg.addr - sourceType: attribute - target: ocsf.device.ip - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `ses` to `ocsf.actor.session.uid` + - name: Map `type` to `ocsf.metadata.event_code` sources: - - ses + - type sourceType: attribute - target: ocsf.actor.session.uid + target: ocsf.metadata.event_code targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `auid` to `ocsf.actor.user.uid` + - name: Map `event_id` to `ocsf.metadata.uid` sources: - - auid + - event_id sourceType: attribute - target: ocsf.actor.user.uid + target: ocsf.metadata.uid targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `uid` to `ocsf.actor.process.user.uid` - sources: - - uid - sourceType: attribute - target: ocsf.actor.process.user.uid - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + - name: Map `original_timestamp` to `ocsf.metadata.original_time` sources: - - ocsf.metadata.product.name + - original_timestamp sourceType: attribute - target: ocsf.metadata.product.name + target: ocsf.metadata.original_time targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `AUID` to `ocsf.actor.user.name` - sources: - - AUID - sourceType: attribute - target: ocsf.actor.user.name - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `msg.exe` to `ocsf.actor.process.path` + - name: Map `laddr` to `ocsf.dst_endpoint.ip` sources: - - msg.exe + - laddr sourceType: attribute - target: ocsf.actor.process.path + target: ocsf.dst_endpoint.ip targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `pid` to `ocsf.actor.process.pid` + - name: Map `lport` to `ocsf.dst_endpoint.port` sources: - - pid + - lport sourceType: attribute - target: ocsf.actor.process.pid + target: ocsf.dst_endpoint.port targetFormat: integer preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `UID` to `ocsf.actor.process.user.name` + - name: Map `ocsf.device.name` to `ocsf.device.name` sources: - - UID + - ocsf.device.name sourceType: attribute - target: ocsf.actor.process.user.name + target: ocsf.device.name targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `msg.terminal` to `ocsf.actor.session.terminal` + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` sources: - - msg.terminal + - ocsf.device.os.name sourceType: attribute - target: ocsf.actor.session.terminal + target: ocsf.device.os.name targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - name: ocsf.device.os.type_id @@ -2778,90 +3215,71 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} + type: schema-category-mapper + - name: ocsf.device.type_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.device.type + id: ocsf.device.type_id type: schema-category-mapper - type: pipeline - name: OCSF sub pipeline for class Process Activity [1007] for EXECVE + name: OCSF sub pipeline for class Network Activity [4001] from Syscall enabled: true ocsf: isOcsf: true filter: - query: "@type:EXECVE" + query: "@type:SYSCALL AND @SYSCALL:(connect OR bind OR listen OR accept OR accept4 OR sendto OR recvfrom)" processors: - - type: grok-parser - name: Extract process name from `a0` - enabled: true - source: a0 - samples: - - /usr/bin/bash - - /bin/sh - - python3 - grok: - supportRules: path_component (/%{regex("[^/]*")}) - matchRules: >- - rule_extract_process_name %{path_component}*/%{notSpace:ocsf.process.name} - - rule_no_path %{notSpace:ocsf.process.name} - - type: string-builder-processor - name: Build `ocsf.process.cmd_line` from EXECVE arguments - enabled: true - template: "%{a0} %{a1} %{a2} %{a3} %{a4} %{a5} %{a6} %{a7} %{a8} %{a9}" - target: ocsf.process.cmd_line - replaceMissing: true - - type: grok-parser - name: Trim trailing spaces from `ocsf.process.cmd_line` - enabled: true - source: ocsf.process.cmd_line - samples: - - "bash -c echo hello" - - "bash " - grok: - supportRules: "" - matchRules: >- - trim_rule %{regex("[^\\s].*[^\\s]|[^\\s]"):ocsf.process.cmd_line} - - type: string-builder-processor - name: Set `ocsf.device.name` to Unknown - enabled: true - template: Unknown - target: ocsf.device.name - replaceMissing: false - - type: string-builder-processor - name: Set `ocsf.actor.app_name` to Unknown - enabled: true - template: Unknown - target: ocsf.actor.app_name - replaceMissing: false - type: string-builder-processor - name: Set `ocsf.process.uid` to Unknown + name: Set `ocsf.dst_endpoint.name` to Unknown enabled: true template: Unknown - target: ocsf.process.uid + target: ocsf.dst_endpoint.name replaceMissing: false - type: schema-processor - name: Apply OCSF schema for 1007 + name: Apply OCSF schema for 4001 enabled: true schema: schemaType: ocsf version: 1.5.0 - className: Process Activity - classUid: 1007 + className: Network Activity + classUid: 4001 extensions: [] - profiles: [] + profiles: + - host mappers: - name: ocsf.activity_id categories: - filter: - query: "*" - name: Launch - id: 1 + query: "@SYSCALL:(connect OR accept OR accept4)" + name: Open + id: 1 + - filter: + query: "@SYSCALL:(sendto OR recvfrom)" + name: Traffic + id: 6 + - filter: + query: "@SYSCALL:listen" + name: Listen + id: 7 + - filter: + query: "@SYSCALL:bind" + name: Other + id: 99 targets: name: ocsf.activity_name id: ocsf.activity_id fallback: - values: {} - sources: {} + values: + ocsf.activity_id: "99" + ocsf.activity_name: Other + sources: + ocsf.activity_name: + - SYSCALL type: schema-category-mapper - name: ocsf.severity_id categories: @@ -2872,22 +3290,20 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - - name: ocsf.device.type_id + - name: ocsf.status_id categories: - filter: - query: "*" - name: Unknown - id: 0 + query: "@success:yes" + name: Success + id: 1 + - filter: + query: "@success:no" + name: Failure + id: 2 targets: - name: ocsf.device.type - id: ocsf.device.type_id - fallback: - values: {} - sources: {} + name: ocsf.status + id: ocsf.status_id type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -2943,29 +3359,101 @@ pipeline: preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `a0` to `ocsf.process.path` + - name: Map `exe` to `ocsf.actor.process.path` sources: - - a0 + - exe sourceType: attribute - target: ocsf.process.path + target: ocsf.actor.process.path targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `ocsf.process.name` to `ocsf.process.name` + - name: Map `comm` to `ocsf.actor.process.name` sources: - - ocsf.process.name + - comm sourceType: attribute - target: ocsf.process.name + target: ocsf.actor.process.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `pid` to `ocsf.actor.process.pid` + sources: + - pid + sourceType: attribute + target: ocsf.actor.process.pid + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `uid` to `ocsf.actor.process.user.uid` + sources: + - uid + sourceType: attribute + target: ocsf.actor.process.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `UID` to `ocsf.actor.process.user.name` + sources: + - UID + sourceType: attribute + target: ocsf.actor.process.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `auid` to `ocsf.actor.user.uid` + sources: + - auid + sourceType: attribute + target: ocsf.actor.user.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `AUID` to `ocsf.actor.user.name` + sources: + - AUID + sourceType: attribute + target: ocsf.actor.user.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ses` to `ocsf.actor.session.uid` + sources: + - ses + sourceType: attribute + target: ocsf.actor.session.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `tty` to `ocsf.actor.session.terminal` + sources: + - tty + sourceType: attribute + target: ocsf.actor.session.terminal + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.name` to `ocsf.device.name` + sources: + - ocsf.device.name + sourceType: attribute + target: ocsf.device.name targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `ocsf.process.cmd_line` to `ocsf.process.cmd_line` + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` sources: - - ocsf.process.cmd_line + - ocsf.device.os.name sourceType: attribute - target: ocsf.process.cmd_line + target: ocsf.device.os.name targetFormat: string preserveSource: false overrideOnConflict: true @@ -2979,32 +3467,33 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} + type: schema-category-mapper + - name: ocsf.device.type_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.device.type + id: ocsf.device.type_id type: schema-category-mapper - type: pipeline - name: OCSF sub pipeline for class Process Activity [1007] from SYSCALL + name: OCSF sub pipeline for class Device Config State Change [5019] enabled: true ocsf: isOcsf: true filter: - query: "@type:SYSCALL AND @SYSCALL:execve" + query: "@type:USER_MAC_CONFIG_CHANGE" processors: - - type: string-builder-processor - name: Set `ocsf.device.name` to Unknown - enabled: true - template: Unknown - target: ocsf.device.name - replaceMissing: false - type: schema-processor - name: Apply OCSF schema for 1007 + name: Apply OCSF schema for 5019 enabled: true schema: schemaType: ocsf version: 1.5.0 - className: Process Activity - classUid: 1007 + className: Device Config State Change + classUid: 5019 extensions: [] profiles: [] mappers: @@ -3012,14 +3501,11 @@ pipeline: categories: - filter: query: "*" - name: Launch + name: Log id: 1 targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -3030,9 +3516,6 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -3043,26 +3526,34 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} + type: schema-category-mapper + - name: ocsf.device.name + categories: + - filter: + query: "-@msg.hostname:*" + name: Unknown + id: 0 + targets: + name: ocsf.device.name + id: ocsf.device.type_id type: schema-category-mapper - name: ocsf.status_id categories: - filter: - query: "@success:yes" + query: "@msg.res:success" name: Success id: 1 - filter: - query: "@success:no" + query: "@msg.res:failed" name: Failure id: 2 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -3073,24 +3564,6 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` - sources: - - ocsf.metadata.product.name - sourceType: attribute - target: ocsf.metadata.product.name - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` - sources: - - ocsf.metadata.product.vendor_name - sourceType: attribute - target: ocsf.metadata.product.vendor_name - targetFormat: string - preserveSource: false - overrideOnConflict: true - type: schema-remapper - name: Map `type` to `ocsf.metadata.event_code` sources: - type @@ -3118,85 +3591,22 @@ pipeline: preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `exe` to `ocsf.process.path` - sources: - - exe - sourceType: attribute - target: ocsf.process.path - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `comm` to `ocsf.process.name` - sources: - - comm - sourceType: attribute - target: ocsf.process.name - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `pid` to `ocsf.process.pid` - sources: - - pid - sourceType: attribute - target: ocsf.process.pid - targetFormat: integer - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `exe` to `ocsf.actor.process.path` - sources: - - exe - sourceType: attribute - target: ocsf.actor.process.path - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `pid` to `ocsf.actor.process.pid` - sources: - - pid - sourceType: attribute - target: ocsf.actor.process.pid - targetFormat: integer - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `uid` to `ocsf.actor.process.user.uid` - sources: - - uid - sourceType: attribute - target: ocsf.actor.process.user.uid - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `UID` to `ocsf.actor.process.user.name` - sources: - - UID - sourceType: attribute - target: ocsf.actor.process.user.name - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `auid` to `ocsf.actor.user.uid` + - name: Map `msg.hostname` to `ocsf.device.hostname` sources: - - auid + - msg.hostname sourceType: attribute - target: ocsf.actor.user.uid + target: ocsf.device.hostname targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `AUID` to `ocsf.actor.user.name` + - name: Map `msg.addr` to `ocsf.device.ip` sources: - - AUID + - msg.addr sourceType: attribute - target: ocsf.actor.user.name + target: ocsf.device.ip targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - name: Map `ses` to `ocsf.actor.session.uid` @@ -3208,91 +3618,21 @@ pipeline: preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `tty` to `ocsf.actor.session.terminal` + - name: Map `auid` to `ocsf.actor.user.uid` sources: - - tty + - auid sourceType: attribute - target: ocsf.actor.session.terminal + target: ocsf.actor.user.uid targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: ocsf.device.os.type_id - categories: - - filter: - query: "*" - name: Linux - id: 200 - targets: - name: ocsf.device.os.type - id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - type: pipeline - name: OCSF sub pipeline for class Network Activity [4001] from SOCKADDR - enabled: true - ocsf: - isOcsf: true - filter: - query: "@type:SOCKADDR AND @laddr:*" - processors: - - type: grok-parser - name: Extract laddr and lport from SOCKADDR saddr field - enabled: true - source: message - samples: - - "type=SOCKADDR msg=audit(1770316388.442:354317): saddr={ fam=inet laddr=1.2.3.4\ - \ lport=4444 }" - grok: - supportRules: "" - matchRules: >- - saddr_inet %{data}laddr=%{notSpace:laddr} lport=%{integer:lport}%{data} - - type: schema-processor - name: Apply OCSF schema for 4001 - enabled: true - schema: - schemaType: ocsf - version: 1.5.0 - className: Network Activity - classUid: 4001 - extensions: [] - profiles: - - host - mappers: - - name: ocsf.activity_id - categories: - - filter: - query: "*" - name: Open - id: 1 - targets: - name: ocsf.activity_name - id: ocsf.activity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.severity_id - categories: - - filter: - query: "*" - name: Informational - id: 1 - targets: - name: ocsf.severity - id: ocsf.severity_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: Map `timestamp` to `ocsf.time` + - name: Map `uid` to `ocsf.actor.process.user.uid` sources: - - timestamp + - uid sourceType: attribute - target: ocsf.time - targetFormat: integer + target: ocsf.actor.process.user.uid + targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper @@ -3302,61 +3642,70 @@ pipeline: sourceType: attribute target: ocsf.metadata.product.name targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + - name: Map `AUID` to `ocsf.actor.user.name` sources: - - ocsf.metadata.product.vendor_name + - AUID sourceType: attribute - target: ocsf.metadata.product.vendor_name + target: ocsf.actor.user.name targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `type` to `ocsf.metadata.event_code` + - name: Map `msg.exe` to `ocsf.actor.process.path` sources: - - type + - msg.exe sourceType: attribute - target: ocsf.metadata.event_code + target: ocsf.actor.process.path targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `event_id` to `ocsf.metadata.uid` + - name: Map `pid` to `ocsf.actor.process.pid` sources: - - event_id + - pid sourceType: attribute - target: ocsf.metadata.uid - targetFormat: string + target: ocsf.actor.process.pid + targetFormat: integer preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `original_timestamp` to `ocsf.metadata.original_time` + - name: Map `UID` to `ocsf.actor.process.user.name` sources: - - original_timestamp + - UID sourceType: attribute - target: ocsf.metadata.original_time + target: ocsf.actor.process.user.name targetFormat: string preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `laddr` to `ocsf.dst_endpoint.ip` + - name: Map `msg.terminal` to `ocsf.actor.session.terminal` sources: - - laddr + - msg.terminal sourceType: attribute - target: ocsf.dst_endpoint.ip + target: ocsf.actor.session.terminal targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `lport` to `ocsf.dst_endpoint.port` + - name: Map `ocsf.device.name` to `ocsf.device.name` sources: - - lport + - ocsf.device.name sourceType: attribute - target: ocsf.dst_endpoint.port - targetFormat: integer - preserveSource: true + target: ocsf.device.name + targetFormat: string + preserveSource: false + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` + sources: + - ocsf.device.os.name + sourceType: attribute + target: ocsf.device.os.name + targetFormat: string + preserveSource: false overrideOnConflict: true type: schema-remapper - name: ocsf.device.os.type_id @@ -3368,45 +3717,23 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} - type: schema-category-mapper - - name: ocsf.device.type_id - categories: - - filter: - query: "*" - name: Unknown - id: 0 - targets: - name: ocsf.device.type - id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - type: pipeline - name: OCSF sub pipeline for class Network Activity [4001] from Syscall + name: OCSF sub pipeline for class Base Event [0] enabled: true ocsf: isOcsf: true filter: - query: "@type:SYSCALL AND @SYSCALL:(connect OR bind OR listen OR accept OR accept4 OR sendto OR recvfrom)" + query: "@type:(USER_ROLE_CHANGE OR USER_SELINUX_ERR OR DAEMON_CONFIG OR DAEMON_ABORT OR MAC_CONFIG_CHANGE OR MAC_STATUS OR MAC_POLICY_LOAD OR AVC OR CONFIG_CHANGE)" processors: - - type: string-builder-processor - name: Set `ocsf.dst_endpoint.name` to Unknown - enabled: true - template: Unknown - target: ocsf.dst_endpoint.name - replaceMissing: false - type: schema-processor - name: Apply OCSF schema for 4001 + name: Apply OCSF schema for 0 enabled: true schema: schemaType: ocsf version: 1.5.0 - className: Network Activity - classUid: 4001 + className: Base Event + classUid: 0 extensions: [] profiles: - host @@ -3414,27 +3741,12 @@ pipeline: - name: ocsf.activity_id categories: - filter: - query: "@SYSCALL:(connect OR accept OR accept4)" - name: Open - id: 1 - - filter: - query: "@SYSCALL:(sendto OR recvfrom)" - name: Traffic - id: 6 - - filter: - query: "@SYSCALL:listen" - name: Listen - id: 7 - - filter: - query: "@SYSCALL:bind" + query: "*" name: Other id: 99 targets: name: ocsf.activity_name id: ocsf.activity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.severity_id categories: @@ -3445,26 +3757,24 @@ pipeline: targets: name: ocsf.severity id: ocsf.severity_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.status_id categories: - filter: - query: "@success:yes" + query: '@msg.res:("success" OR 1)' name: Success id: 1 - filter: - query: "@success:no" + query: '@msg.res:("failed" OR 2)' name: Failure id: 2 + - filter: + query: "*" + name: Unknown + id: 0 targets: name: ocsf.status id: ocsf.status_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: Map `timestamp` to `ocsf.time` sources: @@ -3498,7 +3808,6 @@ pipeline: - type sourceType: attribute target: ocsf.metadata.event_code - targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper @@ -3520,85 +3829,31 @@ pipeline: preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `exe` to `ocsf.actor.process.path` - sources: - - exe - sourceType: attribute - target: ocsf.actor.process.path - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `comm` to `ocsf.actor.process.name` - sources: - - comm - sourceType: attribute - target: ocsf.actor.process.name - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `pid` to `ocsf.actor.process.pid` - sources: - - pid - sourceType: attribute - target: ocsf.actor.process.pid - targetFormat: integer - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `uid` to `ocsf.actor.process.user.uid` - sources: - - uid - sourceType: attribute - target: ocsf.actor.process.user.uid - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `UID` to `ocsf.actor.process.user.name` - sources: - - UID - sourceType: attribute - target: ocsf.actor.process.user.name - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `auid` to `ocsf.actor.user.uid` - sources: - - auid - sourceType: attribute - target: ocsf.actor.user.uid - targetFormat: string - preserveSource: true - overrideOnConflict: true - type: schema-remapper - - name: Map `AUID` to `ocsf.actor.user.name` + - name: Map `type` to `ocsf.activity_name` sources: - - AUID + - type sourceType: attribute - target: ocsf.actor.user.name + target: ocsf.activity_name targetFormat: string preserveSource: true overrideOnConflict: true type: schema-remapper - - name: Map `ses` to `ocsf.actor.session.uid` + - name: Map `ocsf.device.name` to `ocsf.device.name` sources: - - ses + - ocsf.device.name sourceType: attribute - target: ocsf.actor.session.uid + target: ocsf.device.name targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - - name: Map `tty` to `ocsf.actor.session.terminal` + - name: Map `ocsf.device.os.name` to `ocsf.device.os.name` sources: - - tty + - ocsf.device.os.name sourceType: attribute - target: ocsf.actor.session.terminal + target: ocsf.device.os.name targetFormat: string - preserveSource: true + preserveSource: false overrideOnConflict: true type: schema-remapper - name: ocsf.device.os.type_id @@ -3610,9 +3865,6 @@ pipeline: targets: name: ocsf.device.os.type id: ocsf.device.os.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper - name: ocsf.device.type_id categories: @@ -3623,7 +3875,4 @@ pipeline: targets: name: ocsf.device.type id: ocsf.device.type_id - fallback: - values: {} - sources: {} type: schema-category-mapper diff --git a/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml b/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml index 605c4a1536613..190aa5cbc1e8e 100644 --- a/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml +++ b/linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml @@ -14,7 +14,7 @@ tests: hostname: "10.10.10.10" lport: 3307 op: - - "add" + - "add" proto: 6 res: "success" resrc: "port" @@ -74,15 +74,16 @@ tests: ses: 138 status: "ok" subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" - timestamp: 1.736329118112E12 + timestamp: 1736329118112 type: "USER_MAC_CONFIG_CHANGE" usr: id: 0 name: "root" + uid: 0 message: "type=USER_MAC_CONFIG_CHANGE msg=audit(1736329118.112:6532): pid=381980 uid=0 auid=0 ses=138 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=port op=add lport=3307 proto=6 tcontext=system_u:object_r:mysqld_port_t:s0 comm=\"semanage\" exe=\"/usr/libexec/platform-python3.6\" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=success'UID=\"root\" AUID=\"root\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1736329118112 - sample: "type=USER_AUTH msg=audit(1740139921.923:1778): pid=155615 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct=\"devuser\" exe=\"/usr/sbin/sshd\" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=success'UID=\"root\" AUID=\"unset\"" @@ -95,12 +96,12 @@ tests: acct: "devuser" exe: "/usr/sbin/sshd" grantors: - - "pam_usertype" - - "pam_localuser" - - "pam_unix" + - "pam_usertype" + - "pam_localuser" + - "pam_unix" hostname: "10.10.10.10" op: - - "PAM:authentication" + - "PAM:authentication" res: "success" terminal: "ssh" msg_raw: "" @@ -148,7 +149,7 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "1778" version: "1.5.0" severity: "Informational" @@ -164,15 +165,17 @@ tests: ses: 4294967295 status: "ok" subj: "system_u:system_r:sshd_t:s0-s0:c0.c1023" - timestamp: 1.740139921923E12 + timestamp: 1740139921923 type: "USER_AUTH" usr: id: 0 name: "root" + uid: 0 + UID: root message: "type=USER_AUTH msg=audit(1740139921.923:1778): pid=155615 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct=\"devuser\" exe=\"/usr/sbin/sshd\" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=success'UID=\"root\" AUID=\"unset\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740139921923 - sample: "type=MAC_STATUS msg=audit(1740386730.535:1674): enforcing=0 old_enforcing=1 auid=1001 ses=36 enabled=1 old-enabled=1 lsm=selinux res=1AUID=\"devuser\"" @@ -264,12 +267,14 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "182" version: "1.5.0" severity: "Informational" severity_id: 1 time: 1669185724533 + status_id: 0 + status: Unknown operation: "getattr" outcome: "DENIED" permissive: 0 @@ -279,11 +284,11 @@ tests: scontext: "unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023" tclass: "filesystem" tcontext: "system_u:object_r:proc_t:s0" - timestamp: 1.669185724533E12 + timestamp: 1669185724533 type: "AVC" message: "type=AVC msg=audit(1669185724.533:182): avc: denied { getattr } for pid=16660 comm=\"groupadd\" name=\"/\" dev=\"proc\" ino=1 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1669185724533 - sample: "type=USER_SELINUX_ERR msg=audit(1669714331.555:198): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Regex version mismatch, expected: 10.37 2021-05-26 actual: 10.40 2022-04-14 exe=\"/usr/lib/systemd/systemd\" sauid=0 hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh'UID=\"root\" AUID=\"unset\" SAUID=\"root\"" @@ -327,18 +332,20 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "198" version: "1.5.0" severity: "Informational" severity_id: 1 time: 1669714331555 + status_id: 0 + status: Unknown pid: 1 post_msg_kv: "" pre_msg_kv: "" ses: 4294967295 subj: "system_u:system_r:init_t:s0" - timestamp: 1.669714331555E12 + timestamp: 1669714331555 type: "USER_SELINUX_ERR" uid: 0 usr: @@ -346,7 +353,7 @@ tests: name: "root" message: "type=USER_SELINUX_ERR msg=audit(1669714331.555:198): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Regex version mismatch, expected: 10.37 2021-05-26 actual: 10.40 2022-04-14 exe=\"/usr/lib/systemd/systemd\" sauid=0 hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh'UID=\"root\" AUID=\"unset\" SAUID=\"root\"" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1669714331555 - sample: "type=USER_ROLE_CHANGE msg=audit(1741000050.325:2606): pid=60958 uid=0 auid=1001 ses=64 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=\"/usr/sbin/sshd\" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=success'UID=\"root\" AUID=\"devuser\"" @@ -446,25 +453,27 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "121" version: "1.5.0" severity: "Informational" severity_id: 1 time: 1678360880644 + status_id: 0 + status: Unknown old_val: 0 post_msg_kv: "" pre_msg_kv: "" ses: 1 - timestamp: 1.678360880644E12 + timestamp: 1678360880644 type: "MAC_CONFIG_CHANGE" usr: id: 1000 name: "serviceuser" val: 1 - message: "type=MAC_CONFIG_CHANGE msg=audit(1678360880.644:121): bool=virt_use_nfs val=1 old_val=0 auid=1000 ses=1\x1dAUID=\"serviceuser\"" + message: "type=MAC_CONFIG_CHANGE msg=audit(1678360880.644:121): bool=virt_use_nfs val=1 old_val=0 auid=1000 ses=1\x1DAUID=\"serviceuser\"" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1678360880644 - sample: "type=ADD_GROUP msg=audit(1740980591.704:5766): pid=12258 uid=0 auid=1001 ses=535 subj=unconfined msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ub10-10-10-10 addr=10.10.10.10 terminal=pts/3 res=success'UID=\"root\" AUID=\"serviceuser\" ID=\"demo\"" @@ -479,7 +488,7 @@ tests: hostname: "ub10-10-10-10" id: 1004 op: - - "adding group to /etc/group" + - "adding group to /etc/group" res: "success" terminal: "pts/3" msg_raw: "" @@ -526,7 +535,7 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "5766" version: "1.5.0" severity: "Informational" @@ -540,15 +549,17 @@ tests: ses: 535 status: "ok" subj: "unconfined" - timestamp: 1.740980591704E12 + timestamp: 1740980591704 type: "ADD_GROUP" usr: id: 0 name: "root" + uid: 0 + UID: root message: "type=ADD_GROUP msg=audit(1740980591.704:5766): pid=12258 uid=0 auid=1001 ses=535 subj=unconfined msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ub10-10-10-10 addr=10.10.10.10 terminal=pts/3 res=success'UID=\"root\" AUID=\"serviceuser\" ID=\"demo\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740980591704 - sample: "type=DEL_GROUP msg=audit(1765794074.279:2333): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-group grp=\"testuser\" acct=\"testuser\" exe=\"/usr/sbin/userdel\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\"" @@ -563,7 +574,7 @@ tests: grp: "testuser" hostname: "localhost" op: - - "delete-group" + - "delete-group" res: "success" terminal: "pts/1" msg_raw: "" @@ -610,7 +621,7 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "2333" version: "1.5.0" severity: "Informational" @@ -624,15 +635,17 @@ tests: ses: 27 status: "ok" subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" - timestamp: 1.765794074279E12 + timestamp: 1765794074279 type: "DEL_GROUP" usr: id: 0 name: "root" - message: "type=DEL_GROUP msg=audit(1765794074.279:2333): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-group grp=\"testuser\" acct=\"testuser\" exe=\"/usr/sbin/userdel\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\"" + uid: 0 + UID: root + message: "type=DEL_GROUP msg=audit(1765794074.279:2333): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-group grp=\"testuser\" acct=\"testuser\" exe=\"/usr/sbin/userdel\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1DUID=\"root\" AUID=\"serviceuser\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1765794074279 - sample: "type=ADD_USER msg=audit(1635509157.089:345): pid=73290 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct=\"serviceuser\" exe=\"/usr/sbin/useradd\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" @@ -646,7 +659,7 @@ tests: exe: "/usr/sbin/useradd" hostname: "localhost" op: - - "add-user" + - "add-user" res: "success" terminal: "pts/1" msg_raw: "" @@ -691,7 +704,7 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "345" version: "1.5.0" severity: "Informational" @@ -707,15 +720,17 @@ tests: ses: 3 status: "ok" subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" - timestamp: 1.635509157089E12 + timestamp: 1635509157089 type: "ADD_USER" usr: id: 0 name: "root" - message: "type=ADD_USER msg=audit(1635509157.089:345): pid=73290 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct=\"serviceuser\" exe=\"/usr/sbin/useradd\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" + uid: 0 + UID: root + message: "type=ADD_USER msg=audit(1635509157.089:345): pid=73290 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct=\"serviceuser\" exe=\"/usr/sbin/useradd\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1DUID=\"root\" AUID=\"root\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1635509157089 - sample: "type=DEL_USER msg=audit(1740379094.277:2332): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-user id=1003 exe=\"/usr/sbin/userdel\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"testuser\"" @@ -730,7 +745,7 @@ tests: hostname: "localhost" id: 1003 op: - - "delete-user" + - "delete-user" res: "success" terminal: "pts/1" msg_raw: "" @@ -775,7 +790,7 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "2332" version: "1.5.0" severity: "Informational" @@ -792,15 +807,17 @@ tests: ses: 27 status: "ok" subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" - timestamp: 1.740379094277E12 + timestamp: 1740379094277 type: "DEL_USER" usr: id: 0 name: "root" - message: "type=DEL_USER msg=audit(1740379094.277:2332): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-user id=1003 exe=\"/usr/sbin/userdel\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"testuser\"" + uid: 0 + UID: root + message: "type=DEL_USER msg=audit(1740379094.277:2332): pid=161731 uid=0 auid=1001 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-user id=1003 exe=\"/usr/sbin/userdel\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1DUID=\"root\" AUID=\"serviceuser\" ID=\"testuser\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740379094277 - sample: "type=USER_CHAUTHTOK msg=audit(1635509189.860:347): pid=73297 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct=\"serviceuser\" exe=\"/usr/bin/passwd\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" @@ -813,11 +830,11 @@ tests: acct: "serviceuser" exe: "/usr/bin/passwd" grantors: - - "pam_pwquality" - - "pam_unix" + - "pam_pwquality" + - "pam_unix" hostname: "localhost" op: - - "PAM:chauthtok" + - "PAM:chauthtok" res: "success" terminal: "pts/1" msg_raw: "" @@ -862,7 +879,7 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "347" version: "1.5.0" severity: "Informational" @@ -878,15 +895,17 @@ tests: ses: 3 status: "ok" subj: "unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023" - timestamp: 1.63550918986E12 + timestamp: 1635509189860 type: "USER_CHAUTHTOK" usr: id: 0 name: "root" - message: "type=USER_CHAUTHTOK msg=audit(1635509189.860:347): pid=73297 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct=\"serviceuser\" exe=\"/usr/bin/passwd\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1dUID=\"root\" AUID=\"root\"" + uid: 0 + UID: root + message: "type=USER_CHAUTHTOK msg=audit(1635509189.860:347): pid=73297 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=pam_pwquality,pam_unix acct=\"serviceuser\" exe=\"/usr/bin/passwd\" hostname=localhost addr=10.10.10.10 terminal=pts/1 res=success'\x1DUID=\"root\" AUID=\"root\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1635509189860 - sample: "type=ROLE_ASSIGN msg=audit(1740720945.670:879): pid=11107 uid=0 auid=1001 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser-role,range id=0 old-seuser=user_u old-role=user_r old-range=s0 new-seuser=user_u new-role=staff_r new-range=s0 exe=/sbin/semanage hostname=localhost addr=10.10.10.10 terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"root\"" @@ -907,8 +926,8 @@ tests: old-role: "user_r" old-seuser: "user_u" op: - - "seuser-role" - - "range" + - "seuser-role" + - "range" res: "success" terminal: "pts/0" msg_raw: "" @@ -953,11 +972,11 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "879" version: "1.5.0" privileges: - - "staff_r" + - "staff_r" severity: "Informational" severity_id: 1 status: "Success" @@ -972,15 +991,17 @@ tests: ses: 21 status: "ok" subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" - timestamp: 1.74072094567E12 + timestamp: 1740720945670 type: "ROLE_ASSIGN" usr: id: 0 name: "root" - message: "type=ROLE_ASSIGN msg=audit(1740720945.670:879): pid=11107 uid=0 auid=1001 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser-role,range id=0 old-seuser=user_u old-role=user_r old-range=s0 new-seuser=user_u new-role=staff_r new-range=s0 exe=/sbin/semanage hostname=localhost addr=10.10.10.10 terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"serviceuser\" ID=\"root\"" + uid: 0 + UID: root + message: "type=ROLE_ASSIGN msg=audit(1740720945.670:879): pid=11107 uid=0 auid=1001 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser-role,range id=0 old-seuser=user_u old-role=user_r old-range=s0 new-seuser=user_u new-role=staff_r new-range=s0 exe=/sbin/semanage hostname=localhost addr=10.10.10.10 terminal=pts/0 res=success'\x1DUID=\"root\" AUID=\"serviceuser\" ID=\"root\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740720945670 - sample: "type=ROLE_REMOVE msg=audit(1740130059.788:1002): pid=49119 uid=0 auid=1001 ses=17 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser id=0 old-seuser=test1 old-role=user_r old-range=s0 new-seuser=user_u new-role=user_r new-range=s0 exe=/sbin/semanage hostname=localhost addr=10.10.10.10 terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"devuser\" ID=\"root\"" @@ -1001,7 +1022,7 @@ tests: old-role: "user_r" old-seuser: "test1" op: - - "seuser" + - "seuser" res: "success" terminal: "pts/0" msg_raw: "" @@ -1046,11 +1067,11 @@ tests: name: "Auditd" vendor_name: "Linux" profiles: - - "host" + - "host" uid: "1002" version: "1.5.0" privileges: - - "user_r" + - "user_r" severity: "Informational" severity_id: 1 status: "Success" @@ -1065,15 +1086,17 @@ tests: ses: 17 status: "ok" subj: "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" - timestamp: 1.740130059788E12 + timestamp: 1740130059788 type: "ROLE_REMOVE" usr: id: 0 name: "root" - message: "type=ROLE_REMOVE msg=audit(1740130059.788:1002): pid=49119 uid=0 auid=1001 ses=17 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser id=0 old-seuser=test1 old-role=user_r old-range=s0 new-seuser=user_u new-role=user_r new-range=s0 exe=/sbin/semanage hostname=localhost addr=10.10.10.10 terminal=pts/0 res=success'\x1dUID=\"root\" AUID=\"devuser\" ID=\"root\"" + uid: 0 + UID: root + message: "type=ROLE_REMOVE msg=audit(1740130059.788:1002): pid=49119 uid=0 auid=1001 ses=17 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=seuser id=0 old-seuser=test1 old-role=user_r old-range=s0 new-seuser=user_u new-role=user_r new-range=s0 exe=/sbin/semanage hostname=localhost addr=10.10.10.10 terminal=pts/0 res=success'\x1DUID=\"root\" AUID=\"devuser\" ID=\"root\"" status: "ok" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740130059788 - sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/etc/shadow\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" @@ -1135,14 +1158,16 @@ tests: post_msg_kv: "" pre_msg_kv: "" rdev: "00:00" - timestamp: 1.740378301873E12 + timestamp: 1740378301873 type: "PATH" usr: id: 0 name: "root" - message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/etc/shadow\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + OUID: root + ouid: 0 + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/etc/shadow\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1DOUID=\"root\" OGID=\"root\"" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740378301873 - sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/x86_64-linux-gnu/libcrypt.so.1\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" @@ -1205,14 +1230,16 @@ tests: post_msg_kv: "" pre_msg_kv: "" rdev: "00:00" - timestamp: 1.740378301873E12 + timestamp: 1740378301873 type: "PATH" usr: id: 0 name: "root" - message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/x86_64-linux-gnu/libcrypt.so.1\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + OUID: root + ouid: 0 + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/x86_64-linux-gnu/libcrypt.so.1\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1DOUID=\"root\" OGID=\"root\"" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740378301873 - sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/\" inode=50314523 dev=fd:03 mode=0040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" @@ -1274,14 +1301,16 @@ tests: post_msg_kv: "" pre_msg_kv: "" rdev: "00:00" - timestamp: 1.740378301873E12 + timestamp: 1740378301873 type: "PATH" usr: id: 0 name: "root" - message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/\" inode=50314523 dev=fd:03 mode=0040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + OUID: root + ouid: 0 + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/lib/\" inode=50314523 dev=fd:03 mode=0040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1DOUID=\"root\" OGID=\"root\"" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740378301873 - sample: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/run/nginx.pid\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" @@ -1344,14 +1373,16 @@ tests: post_msg_kv: "" pre_msg_kv: "" rdev: "00:00" - timestamp: 1.740378301873E12 + timestamp: 1740378301873 type: "PATH" usr: id: 0 name: "root" - message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/run/nginx.pid\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1dOUID=\"root\" OGID=\"root\"" + OUID: root + ouid: 0 + message: "type=PATH msg=audit(1740378301.873:2247): item=0 name=\"/run/nginx.pid\" inode=50314523 dev=fd:03 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\x1DOUID=\"root\" OGID=\"root\"" tags: - - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" timestamp: 1740378301873 - sample: "type=DAEMON_CONFIG msg=audit(1740139921.923:946): op=reconfigure state=changed auid=1001 pid=12258 subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 res=success AUID=\"serviceuser\""