Skip to content

auparse -i doens't create multiple netfilter_cfg events as a list #71

New issue
New issue
Open
Open
auparse -i doens't create multiple netfilter_cfg events as a list#71

Description

@knibbl

knibbl
openedon Jul 8, 2020

By testing the auparse command I saw that it doesn't summarize the values correctly or as expected. I wanted to know if this is done by purpose or if this needs additional effort for the interpreter.

Here the example log:

type=NETFILTER_CFG msg=audit(1593786232.477:31): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1593786232.477:31): table=filter family=10 entries=0
type=SYSCALL msg=audit(1593786232.477:31): arch=c000003e syscall=272 success=yes exit=0 a0=40000000 a1=7fffd2436fb0 a2=40000040 a3=22 items=0 ppid=1 pid=769 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ostnamed)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1593786232.477:31): proctitle="(ostnamed)"

Here the command
auparse -i -format yaml

And the result

timestamp: 2020-07-03T14:23:52.477Z
sequence: 31
category: configuration
record_type: netfilter_cfg
result: success
session: unset
summary:
  actor:
    primary: unset
    secondary: root
  action: loaded-firewall-rule-to
  object:
    type: firewall
    primary: filter
  how: /usr/lib/systemd/systemd
user:
  ids:
    auid: unset
    egid: "0"
    euid: "0"
    fsgid: "0"
    fsuid: "0"
    gid: "0"
    sgid: "0"
    suid: "0"
    uid: "0"
  names:
    egid: root
    euid: root
    fsgid: root
    fsuid: root
    gid: root
    sgid: root
    suid: root
    uid: root
  selinux:
    domain: init_t
    level: s0
    role: system_r
    user: system_u
process:
  pid: "769"
  ppid: "1"
  title: (ostnamed)
  name: (ostnamed)
  exe: /usr/lib/systemd/systemd
data:
  a0: "40000000"
  a1: 7fffd2436fb0
  a2: "40000040"
  a3: "22"
  arch: x86_64
  entries: "0"
  exit: "0"
  family: "2"
  syscall: unshare
  table: filter
  tty: (none)
ecs:
  event:
    category:
    - process
    type:
    - info

As you can see in the output for the section data, there is no second entry for the second event with "family 10". Shouldn't that be part of the output, similar to your example with the list entries for type: PATH?
Thank you and regards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions