Create auditd-user_and_cred.xml

2025-11-02 04:43:15 +00:00 · 2022-12-29 10:45:00 -06:00
parent a4fcfd5822
commit aec30d7a32
1 changed files with 52 additions and 0 deletions
--- a/Auditd/decoders/auditd-user_and_cred.xml
+++ b/Auditd/decoders/auditd-user_and_cred.xml
@@ -0,0 +1,52 @@
+<decoder name="auditd-user_and_cred">
+  <prematch>^type=</prematch>
+</decoder>
+
+<!--
+type=USER_ACCT msg=audit(1480087217.108:6042): pid=6013 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=10.10.10.100 addr=10.10.10.100 terminal=ssh res=success'
+
+type=CRED_ACQ msg=audit(1480087217.108:6043): pid=6013 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=10.10.10.100 addr=10.10.10.100 terminal=ssh res=success'
+-->
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <prematch offset="after_parent">^USER_ACCT |^CRED_ACQ |^USER_START |^CRED_REFR|^CRYPTO_KEY_USER|^CRYPTO_SESSION |^USER_AUTH |^USER_ROLE_CHANGE|^SERVICE_STOP </prematch>
+  <regex offset="after_parent">^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
+  <order>audit.type,audit.id</order>
+</decoder>
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <regex offset="after_regex">^pid=(\S+) uid=(\S+) auid=(\S+) ses=(\S+)</regex>
+  <order>audit.pid,audit.uid,audit.auid,audit.session</order>
+</decoder>
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <regex offset="after_regex">subj=(\S+)</regex>
+  <order>audit.subj</order>
+</decoder>
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <regex offset="after_regex">acct="(\S+)"</regex>
+  <order>audit.acct</order>
+</decoder>
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <regex offset="after_regex">unit=(\S+)</regex>
+  <order>audit.unit</order>
+</decoder>
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <regex offset="after_regex">exe="(\S+)"</regex>
+  <order>audit.exe</order>
+</decoder>
+
+<decoder name="auditd-user_and_cred">
+  <parent>auditd-user_and_cred</parent>
+  <regex offset="after_regex">addr=(\S+)</regex>
+  <order>srcip</order>
+</decoder>