Minimal receiver for audit_remote.so streams (from illumos/Solaris auditd)
which turns the audit records into JSON and inserts them into ElasticSearch.
Also designed to integrate with Joyent Triton for looking up the names of zones and their owners to annotate the events.
The event objects inserted into ElasticSearch look like:
{
"time": "2019-09-27T01:39:19.560Z",
"version": 2,
"zonealias": "uqracing-website",
"zonename": "d8069ac3-0a93-e9fb-d82e-d61541df45f9",
"from": "ip.of.global.zone",
"event": "execve",
"path": "/usr/bin/foobar",
"exec_args": [ "foobar", "-D", "-R" ],
"errno": "eperm",
"return": -1,
"subject": {
"pid": 608577,
"audit_id": 1001,
"uid": 0, "gid": 0,
"ruid": 0, "rgid": 0,
"session_id": 1663472728,
"terminal": {
"ip": "10.1.2.3",
"local_port": 22,
"remote_port": 61707
},
},
"attributes": {
"devid": "-1",
"fsid": 65556,
"uid": 0,
"gid": 0,
"inode_hex": "000000000000B344",
"mode_octal": "100755"
}
}The audit_remote.so traffic is always wrapped in GSS tokens, which means
it has to use a particular GSS mechanism plugin.
Currently there’s only support for the "dummy" GSS mech. This isn’t installed
by default with SmartOS or other illumos distros, so you’ll need to grab it
out of a compiled illumos directory (you can find it in
usr/src/lib/gss_mechs/mech_dummy/{i386,amd64}/mech_dummy.so.1). Copy this
into /usr/lib/gss and /usr/lib/64/gss and then add a line for it into
/etc/gss/mech.
Recommended way to do this for Triton CNs is to set up a service in
/opt/custom/smf which overlay mounts these two directories and injects the
mech_dummy.so.1 files.
In the gz-smf directory of this repository there are working examples of
SMF manifests and method scripts to achieve this. These examples are meant to
be placed in /opt/custom/lib/svc/method and the manifests in
/opt/custom/smf. The mech_dummy.so.1 files should be placed in
/opt/custom/lib/gss and /opt/custom/lib/amd64/gss.
auditrecv is meant to run in a zone on the admin VLAN, with a leg onto another network where it can reach the ElasticSearch server.
The Triton CNs should be set up to use the audit_remote plugin as follows:
auditconfig -setpolicy zonename,argv,cnt auditconfig -setplugin audit_remote active p_hosts=$IP_OF_AUDITRECV:1234:dummy
You’ll need to run that after reboot, and you probably want some extra commands to set the default flags for collection, too.
Recommended way once again is an SMF service in /opt/custom/smf which runs
these steps and then restarts the auditd service (and again, there’s an
example of this in the gz-smf directory).
To set up auditrecv itself, copy config/app.config.dist and
config/vm.args.dist to their names without .dist (i.e. config/app.config,
config/vm.args) and edit them. You’ll need to set the hostnames/IPs of
elasticsearch, VMAPI and Mahi. Then run rebar3 release to create a release
and move that into /opt/auditrecv.
You can then set up the auditrecv user, create the /var/log/auditrecv and
/var/db/auditrecv directories, and import the smf.xml file with svccfg.