In this post, we will see how to read the audit logs and what each line and field means.
For example audit.log file logged 4 lines as follows :
type=SYSCALL msg=audit(1640033159.053:177988798): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc736c18a0 a1=0 a2=1b6 a3=24 items=1 ppid=130071 pid=130082 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=318813 comm="pidstat" exe="/usr/bin/pidstat" key="access" type=PROCTITLE msg=audit(1640033159.053:177988797): proctitle=70696473746174002D727564002D6800310033 type=CWD msg=audit(1640033159.053:177988798): cwd="/u01/app/oracle/oracle.ahf/data/repository/suptools/rac01/oswbb/oracle/oswbb" type=PATH msg=audit(1640033159.053:177988798): item=0 name="/proc/674/io" inode=12022 dev=00:04 mode=0100400 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
The above event consists of four records, which share the same time stamp and serial number ( 1640033159.053:177988797 ). Records always start with the type= keyword. Each record consists of several name=value pairs separated by a white space or a comma. A detailed analysis of the above event follows:
The type field contains the type of the record. In this example, the SYSCALL value specifies that this record was triggered by a system call to the kernel. For a list of all possible type values and their explanations, see Audit Record Types.
The msg field records: a time stamp and a unique ID of the record in the form audit(time_stamp:ID). Multiple records can share the same time stamp and ID if they were generated as part of the same Audit event. The time stamp is using the Unix time format – seconds since 00:00:00 UTC on 1 January 1970. various event-specific name=value pairs provided by the kernel or user space applications.
The arch field contains information about the CPU architecture of the system. The value, c000003e, is encoded in hexadecimal notation. When searching Audit records with the ausearch command, use the -i or –interpret option to automatically convert hexadecimal values into their human-readable equivalents. The c000003e value is interpreted as x86_64.
The syscall field records the type of the system call that was sent to the kernel. The value, 2, can be matched with its human-readable equivalent in the /usr/include/asm/unistd_64.h file. In this case, 2 is the open system call. Note that the ausyscall utility allows you to convert system call numbers to their human-readable equivalents. Use the ausyscall –dump command to display a listing of all system calls along with their numbers. For more information, see the ausyscall(8) man page.
The success field records whether the system call recorded in that particular event succeeded or failed. In this case, the call did not succeed.
The exit field contains a value that specifies the exit code returned by the system call. This value varies for different system call. You can interpret the value to its human-readable equivalent with the following command:
a0=7ffc736c18a0 a1=0 a2=1b6 a3=24
The a0 to a3 fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event. These arguments depend on the system call that is used; they can be interpreted by the ausearch utility.
The items field contains the number of PATH auxiliary records that follow the syscall record.
The ppid/pid field records the Parent Process ID and Process ID.
auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002
The auid field records the Audit user ID, User ID, Group ID, Effective User ID, Set User ID, Filesystem User ID, Effective Group ID, Set Group ID, Filesystem Group ID.
The tty field and session records the terminal from which the analyzed process was invoked.
The comm field records the command-line name of the command that was used to invoke the analyzed process. In this case, the cat command was used to trigger this Audit event.
The exe field records the path to the executable that was used to invoke the analyzed process.
The key field records the administrator-defined string associated with the rule that generated this event in the Audit log.
The type field contains the type of the record. In this example, the PROCTITLE value specifies that this record gives the full command-line that triggered this Audit event, triggered by a system call to the kernel.
The proctitle field records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with the ausearch command, use the -i or –interpret option to automatically convert hexadecimal values into their human-readable equivalents.
In the second record, the type field value is CWD — current working directory. This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed. The purpose of this record is to record the current process’s location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed.
The msg field holds the same time stamp and ID value as the value in the first record. The time stamp is using the Unix time format – seconds since 00:00:00 UTC on 1 January 1970.
The cwd field contains the path to the directory in which the system call was invoked.
In the this record, the type field value is PATH. An Audit event contains a PATH-type record for every path that is passed to the system call as an argument.
The msg field holds the same time stamp and ID value as the value in the first and second record.
The item field indicates which item, of the total number of items referenced in the SYSCALL type record, the current record is. This number is zero-based; a value of 0 means it is the first item.
The name field records the path of the file or directory that was passed to the system call as an argument. In this case, it was the /proc/674/io file.
The inode field contains the inode number associated with the file or directory recorded in this event. The following command displays the file or directory that is associated with the 409248 inode number:
The dev field specifies the minor and major ID of the device that contains the file or directory recorded in this event.
The mode field records the file or directory permissions, encoded in numerical notation as returned by the stat command in the st_mode field. See the stat(2) man page for more information. In this case, 0100600 can be interpreted as -r——–, meaning that only the root user has read permissions for /proc/674/io.
The ouid field records the object owner’s user ID.
The ogid field records the object owner’s group ID.
The rdev field contains a recorded device identifier for special files only. In this case, it is not used as the recorded file is a regular file.
The objtype field records the intent of each path record’s operation in the context of a given syscall.