SPEC Audit Event Enrichment

Introduction

There are times when the audit events are stored in another machine and need to be searched at a later date. Some parts of the audit event are transient in nature or unique to a system. This makes interpreting fields that are numbers into human readable fields hard or impossible without running a report at the time of the event or on the machine the event occurred on.

To address this issue, the audit daemon will get a new log_format option, ENRICHED, where the audit trail will be amended as follows at the time a record is received from the kernel:

Translations will be:

• A GS ASCII character, 0x1D, will be inserted to separate original and translated fields.
• After the GS character, translation fields with the original field's name in all capital letters will be appended in the order of occurrence in the original event.
• Fields shall be encoded if user controlled data is used for enrichment (uid/gid)

The auparse library will:

• preferentially use these fields whenever an interpretation is requested
• if none exist, look up the fields on the local machine if necessary
• Ausearch will hide them except when --raw command line option is given

The fields that will be resolved at event time are:

• *uid (translation is user defined)
• *gid (translation is admin defined)
• saddr (split in constituent pieces)
• arch
• syscall