# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. praudit = { plugin_version = "1.2" # 2006-12-21 - 1.0.1beta - KBB - added support for single digit day in date and simplified autodetect # 2007-09-13 - 1.0.1 - KBB - renumbered per new beta policy and changed name from beta_praudit.cfg # 2010-01-27 - 1.1 - gas - added support for new date format # 2010-01-28 - 1.2 - gas - changed subject end of section char from \t to , # 2011-07-13 - 1.2.1 - MSG - Edited info lines. info.1.manufacturer = "FreeBSD" info.1.device = "praudit" info.1.version.1 = "" # The name of the log format log.format.format_label = "praudit Log Format" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression #log.format.autodetect_expression = ` #matches_regular_expression(volatile.log_data_line, 'header,[0-9]+,[0-9]+,[^,]+,[^,]*,[A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9 ][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9].* [0-9]+ msec') or #matches_regular_expression(volatile.log_data_line, 'header,[0-9]+,[0-9]+,[^,]+,[^,]*,[^,]*,[A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9 ][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9].* [0-9]+ msec') #` log.format.autodetect_regular_expression = 'header,[0-9]+,[0-9]+,([^,]*,){2,3}([A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9 ][0-9]|[0-9-]+) [0-9]+:[0-9]{2}:[0-9]{2}' log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" path = "" # attribute access_mode = "" owner_user_id = "" owner_group_id = "" file_system_id = "" inode_id = "" device_id = "" # exec_args exec_args = "" } # log.fields log.parsing_filters.parse = ` # # This supports praudit format with one event type per line, and in -l format with all # events concatenated on a line. # This also supports Snare Solaris praudit lines, which concatenate all these pieces, like this: # #<14> Jan 10 18:24:19 columbo SolarisBSM 1 header,151,2,execve(2),,Tue Jan 10 18:24:19 CLST 2005, + 699 msec path,/usr/sbin/in.telnetd attribute,100555,root,bin,85,9499,0 exec_args,1,in.telnetd subject,-2,root,root,root,root,18335,0,0 0 0.0.0.0 return,success,0 sequence,23438 snareseq,3 # #calbuco SolarisBSM 1 header,115,2,connect(2),,Wed Dec 6 10:47:35 CLST 2006, + 431 msec,argument,1,0x3,so socket,0x0002,0x0002,0xb512,calbuco,0x22b0,calbuco subject,applmgr,applmgr,dba,applmgr,dba,22704,11737,0 1185 srvcitrixstg02.vtr.cl return,success,0 sequence,234837348 trailer,115 snareseq,1 #coloso SolarisBSM 4 header,180,2,open(2) - read write,,Tue Jan 31 16:24:55 CLST 2006, + 880 msec path,/devices/pci@8 700000/ebus@5/i2c@1 30/temperature@0 30:die_temp attribute,20600,root,sys,85,29453,42949672961 subject,-2,root,root,root,root,63,0,0 0 0.0.0.0 return,success,9 sequence,71104 snareseq,1 #header,94,2,AUE_ssh,,Fri Jan 28 16:53:58 CST 2005, + 510 msec if (matches_regular_expression(current_log_line(), 'header,[0-9]*,[0-9]*,([^,]*),([^,]*),[A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9 ][0-9]) ([0-9]+:[0-9][0-9]:[0-9][0-9]) [A-Z]+ ([0-9]+),')) then ( set_collected_field('', 'audit_event_id', $1); set_collected_field('', 'id_modifier', $2); set_collected_field('', 'date', $4 . '/' . $3 . '/' . $6); set_collected_field('', 'time', $5); ); #header,215,4,execve(2),sp,fuddoi.hs.ltsr.xyz,Sun Jun 05 21:12:28 2003, + 0 msec,path,/usr/sbin/audit,attribute,100555,root,bin,118,848296,0,sensitivity label,ADMIN_LOW,use of privilege,successful use of priv,proc_dumpcore,subject,star,root,sysadmin,secadmin,sysadmin,743,560,0 0 fuddoi.hs.ltsr.xyz,sensitivity label,ADMIN_HIGH,return,success,0 else if (matches_regular_expression(current_log_line(), '^header,[0-9]*,[0-9]*,([^,]*),([^,]*),[^,]*,[A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9 ][0-9]) ([0-9]+:[0-9][0-9]:[0-9][0-9]) ([0-9]+),')) then ( set_collected_field('', 'audit_event_id', $1); set_collected_field('', 'id_modifier', $2); set_collected_field('', 'date', $4 . '/' . $3 . '/' . $6); set_collected_field('', 'time', $5); ); # 1.1 - gas # header,102,2,open(2) - read,fe,abc.abc.abc.com,2010-01-26 09:00:01.050 +00:00,path,/var/ld/ld.config,subject,FOLDER\qwertyuiop,root,root,root,root,24720,3029009386,5297 5632 10.47.26.36,return,failure: No such file or directory,-1 else if (matches_regular_expression(current_log_line(), '^header,[0-9]*,[0-9]*,([^,]*),([^,]*),[^,]*,([0-9-]+) ([0-9]+:[0-9][0-9]:[0-9][0-9])\\.([0-9]+) [+-][0-9:]+,')) then ( set_collected_field('', 'audit_event_id', $1); set_collected_field('', 'id_modifier', $2); set_collected_field('', 'date', $3); set_collected_field('', 'time', $4); ); #subject,beckford,beckford,sysadmin,beckford,sysadmin,550,550,0 2190 192.169.255.19 # 1.2 gas - changed from \t to , #if (matches_regular_expression(current_log_line(), 'subject,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([0-9]*),([0-9]*),([^ ]*)')) then ( if (matches_regular_expression(current_log_line(), 'subject,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([0-9]*),([0-9]*),([^,]*)')) then ( set_collected_field('', 'invariant_audit_id', $1); set_collected_field('', 'effective_user_id', $2); set_collected_field('', 'effective_group_id', $3); set_collected_field('', 'real_user_id', $4); set_collected_field('', 'real_group_id', $5); set_collected_field('', 'process_id', $6); set_collected_field('', 'audit_session_id', $7); set_collected_field('', 'terminal_id', $8); ); #attribute,100555,root,bin,85,9499,0 if (matches_regular_expression(current_log_line(), 'attribute,([0-9]*),([^,]*),([^,]*),([0-9]*),([0-9]*),([0-9]*)')) then ( set_collected_field('', 'access_mode', $1); set_collected_field('', 'owner_user_id', $2); set_collected_field('', 'owner_group_id', $3); set_collected_field('', 'file_system_id', $4); set_collected_field('', 'inode_id', $5); set_collected_field('', 'device_id', $6); ); #exec_args,3,sh,-c,/usr/ucb/mail if (matches_regular_expression(current_log_line(), 'exec_args,[0-9]*,([^ ]*)')) then ( set_collected_field('', 'exec_args', $1); ); #text,invalid password or publickey if (matches_regular_expression(current_log_line(), 'text,([^, ]*)')) then ( set_collected_field('', 'text', $1); ); # path if (matches_regular_expression(current_log_line(), 'path,([^, ]*)')) then ( set_collected_field('', 'path', $1); ); #return,failure: Interrupted system call,-1 if (matches_regular_expression(current_log_line(), 'return,([^,]*),(-*[0-9]+)')) then ( set_collected_field('', 'return_message', $1); set_collected_field('', 'return_code', $2); accept_collected_entry('', false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" path = "" access_mode = "" owner_user_id = "" owner_group_id = "" file_system_id = "" inode_id = "" device_id = "" exec_args = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "hostname" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" } # report_groups } # create_profile_wizard_options } # praudit