audito-maldito

command module

v0.4.1 Latest Latest Go to latest Published: Jul 21, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/metal-toolbox/audito-maldito

Links

Open Source Insights

README ¶

audito-maldito

audito-maldito is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in (e.g., what programs they executed).

audito-maldito monitors OpenSSH logins and then attempts to correlate authenticated user sessions with Linux kernel audit sessions. Once an audit session has been identified, new audito-maldito events are generated each time the Linux audit session receives a new event. This allows the application to tie an OpenSSH user's identity to their Linux audit session. For example, if a user authenticates using an SSH certificate, certificate details like the fingerprint and key ID will appear in each resulting audito-maldito audit event. These resulting events are written to a customizable file path.

Sysadmins define audit policy using auditd's audit.rules. audito-maldito simply honors whatever Linux audit events appear in the Linux auditd event stream.

For more information about configuring audito-maldito, please refer to the Configuration section.

System requirements

Audit event types

The following subsections detail the different types of audit events generated by audito-maldito. For more information about the structure of these events, please refer to the auditevent library.

`UserLogin`

Occurs when a user logs in via sshd.

Example:

{
  "component": "sshd",
  "data": {
    "Alg": "ECDSA-CERT SHA256",
    "CA": "CA ED25519 SHA256:JKH45TJj6tNHO/E/VtWZGunEY7C8VLFjVFv6bDq/5VY=",
    "SSHKeySum": "JKH45TJj6tNHO/E/VtWZGunEY7C8VLFjVFv6bDq/5VY",
    "Serial": "350"
  },
  "loggedAt": "2023-03-17T13:37:01.952459Z",
  "metadata": {
    "auditId": "ffffffff-ffff-ffff-ffff-ffffffffffff"
  },
  "outcome": "succeeded",
  "source": {
    "extra": {
      "port": "59145"
    },
    "type": "IP",
    "value": "6.6.6.2"
  },
  "subjects": {
    "loggedAs": "core",
    "pid": "3076344",
    "userID": "user@foo.com"
  },
  "target": {
    "host": "blam",
    "machine-id": "deadbeef"
  },
  "type": "UserLogin"
}

`UserAction`

Occurs when an authenticated sshd user does something (example: the user executes rizin).

Example:

{
  "component": "auditd",
  "loggedAt": "2023-03-17T13:37:38.126Z",
  "metadata": {
    "auditId": "67",
    "extra": {
      "action": "executed",
      "how": "bash",
      "object": {
        "primary": "/usr/local/bin/rizin",
        "type": "file"
      }
    }
  },
  "outcome": "failed",
  "source": {
    "extra": {
      "port": "56734"
    },
    "type": "IP",
    "value": "6.6.6.2"
  },
  "subjects": {
    "loggedAs": "core",
    "pid": "2868326",
    "userID": "user@foo.com"
  },
  "target": {
    "host": "the-best-computer",
    "machine-id": "deadbeef"
  },
  "type": "UserAction"
}

Installation and deployment

audito-maldito can be run as a standalone application (such as a systemd unit) or as a Kubernetes Daemonset. At Equinix Metal, we deploy the application in kubernetes using a Helm chart. The chart relies on rsyslog, which is responsible for passing OpenSSH daemon logs and Linux audit logs to audito-maldito using named pipes. audito-maldito reads from these named pipes and then writes its audit events to another named pipe.

The following subsections discuss several installation and deployment methods.

From source

If you would like to build from source, you can use go build if you have a copy of the source code on hand:

go build

Kubernetes

A Helm chart can be found in the equinixmetal-helm GitHub organization:

https://github.com/equinixmetal-helm/audito-maldito

Container image

A pre-built container image can be found in GitHub's container registry:

https://github.com/metal-toolbox/audito-maldito/pkgs/container/audito-maldito%2Faudito-maldito

Configuration

The following subsections discuss audito-maldito's configuration.

Required data sources

audito-maldito reads input data from named pipes (FIFOs). It expects these data sources to be specified using the following arguments:

-auditd-log-file-path - The file path to a named pipe that produces Linux auditd events (i.e., events from "/var/log/audit/audit.log")
-sshd-log-file-path - The file path to a named pipe that produces OpenSSH sshd logs

Required files

The following files are required by audito-maldito to run:

/etc/os-release - Many Linux distributions provide this file. It specifies details such as the distribution name and version
/etc/machine-id - This file is managed by systemd. It contains an identifier for the computer

Output data

Audit events produced by audito-maldito are written to /app-audit/audit.log by default (this can be a regular file or a named pipe). This file path can be customized using the -app-events-output argument.

Development

If you are a developer or looking to contribute, the following automation may come in handy.

Building a container image

To build the binary in a container, run:

make image

Note that you'll need to have Docker installed.

Documentation ¶

Overview ¶

audito-maldito is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in (e.g., what programs they executed).

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd Package cmd abstracts the "main" function's logic out of the main package for integration testing purposes.	Package cmd abstracts the "main" function's logic out of the main package for integration testing purposes.
ingesters
auditlog auditlog package processes the /var/log/audit/audit.log log file.	auditlog package processes the /var/log/audit/audit.log log file.
namedpipe
rocky
rocky/fakes
syslog
syslog/fakes
internal package internal contains the core logic for event audit	package internal contains the core logic for event audit
common Package common provides functionality that is used in more than one internal library.	Package common provides functionality that is used in more than one internal library.
health
metrics package metrics is a common package for audito maldito's metrics.	package metrics is a common package for audito maldito's metrics.
testtools
util Package util provides utility functionality.	Package util provides utility functionality.
processors processors package for different types of processors	processors package for different types of processors
auditd Package auditd provides functionality for extracting audit information from the Linux kernel's built-in auditing functionality.	Package auditd provides functionality for extracting audit information from the Linux kernel's built-in auditing functionality.
auditd/dirreader
auditd/gen-extra-map gen-extra-map generates a Go function that validates the Extra map included in auditevent.AuditEvent metadata for a given event index.	gen-extra-map generates a Go function that validates the Extra map included in auditevent.AuditEvent metadata for a given event index.
auditd/sessiontracker
auditd/sessiontracker/fakes
rocky
sshd
varlogsecure Package varlogsecure provides a way to read the contents of /var/log/secure and process them into ssh login events.	Package varlogsecure provides a way to read the contents of /var/log/secure and process them into ssh login events.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL