### Future tls_psk_clients File Format Example Source: https://github.com/linux-audit/audit-userspace/wiki/TLS-Phase-0-Details Shows a potential future format for the `tls_allowed_clients` file, including a key identifier for managing PSKs. ```text # /etc/audit/tls-psk-clients # identity status notes host-1234 enabled prod web host host-5678 disabled retired ``` -------------------------------- ### Future tls_allowed_clients with Key ID Example Source: https://github.com/linux-audit/audit-userspace/wiki/TLS-Phase-0-Details Presents a future format for `tls_allowed_clients` that includes a key identifier managed by a lifecycle utility. ```text # identity status key-id notes host-1234 enabled key-host-1234-v3 prod ``` -------------------------------- ### Future PSK Storage Path Example Source: https://github.com/linux-audit/audit-userspace/wiki/TLS-Phase-0-Details Illustrates a possible future file path structure for storing per-sender PSK material, using encoded or hashed identities. ```text /etc/audit/tls-psk-store/.psk ``` -------------------------------- ### Linux Kernel Coding Style Example Source: https://github.com/linux-audit/audit-userspace/blob/master/AGENTS.md Illustrates the Linux Kernel coding style, emphasizing tab indentation, line length limits, brace placement, and commenting conventions for functions and variables. ```text So, if you would like to test it and report issues or even contribute code feel free to do so. But please discuss the contribution first to ensure that its acceptable. This project uses the Linux Kernel Style Guideline. Please follow it if you wish to contribute. In practice this means: - Indent with tabs - not spaces. - Keep lines within ~80 columns. - Place braces and other formatting as in the kernel style. However, if the basic block is a 1 liner, do not use curly braces for it. - Add a comment before any new function describing it, input variables, and return codes. - Comments within a function may be C++ style. - Do not do any whitespace adustment of existing code. - Keep existing function and variable names. ``` -------------------------------- ### Configure and Compile Linux Audit Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Commands to configure, compile, and install the Linux Audit userspace components from the repository. Ensure all build-time dependencies are met before execution. ```bash cd audit autoreconf -f --install ./configure --with-python3=yes --enable-gssapi-krb5=yes --with-arm \ --with-aarch64 --with-libcap-ng=yes --without-golang --with-io_uring make make install ``` -------------------------------- ### Summarize Syscall Events by Key Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Generate a summary of syscall events, grouped and counted by their associated key. `--start today` sets the time frame, `--key` indicates grouping by key, and `--summary` provides the summarized output. ```bash aureport --start today --key --summary ``` -------------------------------- ### Generate Today's File Access Summary Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Summarize all file access events that occurred today. `--start today` sets the time frame, `--file` filters for file-related events, and `--summary` provides a summarized view. ```bash aureport --start today --file --summary ``` -------------------------------- ### Generate Monthly Summary Report Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Create a summary report of all audit events for the current month. `--start this-month` sets the time range, and `--summary` requests a summarized output. ```bash aureport --start this-month --summary ``` -------------------------------- ### MAN(3) Style Guide for Glibc Source: https://github.com/linux-audit/audit-userspace/blob/master/AGENTS.md Specifies the glibc style for man(3) pages, including bolding for headers and function prototypes, and underlining for function arguments in the SYNOPSIS and DESCRIPTION sections. ```text In SYNOPSIS, the header file is bold. Function prototype is bold, but its argument are not bold, they are underlined. The arguments in DESCRIPTION are also underlined. ``` -------------------------------- ### Search for Shadow File Events Today Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md This command searches for any events related to the 'shadow' file that occurred today. `--start today` sets the time frame, and `-f shadow` specifies the file name. `-i` interprets numeric IDs. ```bash ausearch --start today -f shadow -i ``` -------------------------------- ### Report Account Modifications This Month Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md List all account modification events that occurred this month. `--start this-month` sets the time range, `--mods` filters for modification events, and `-i` interprets numeric IDs. ```bash aureport --start this-month --mods -i ``` -------------------------------- ### Summarize Files Accessed by Program Name Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Get a summary of files accessed by a specific program (e.g., 'vi') this week. `ausearch -x vi --raw` outputs raw events for the program, piped to `aureport --file --summary` for file access summarization. ```bash ausearch --start this-week -x vi --raw | aureport --file --summary ``` -------------------------------- ### Summarize Files Accessed by User ID Today Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Combine ausearch and aureport to get a summary of files accessed by a specific user ID (1000) today. `ausearch --auid 1000 --raw` outputs raw events for the user, piped to `aureport --file --summary` for file access summarization. ```bash ausearch --start today --auid 1000 --raw | aureport --file --summary ``` -------------------------------- ### Build and Configure Audit Userspace Tools Source: https://github.com/linux-audit/audit-userspace/blob/master/AGENTS.md Bootstrap and configure the build process for the audit-userspace project. Ensure Python 3 and GSSAPI/Kerberos support are enabled, and specify architecture and library options. ```bash cd audit-userspace autoreconf -f --install ./configure --with-python3=yes --enable-gssapi-krb5=yes --with-arm \ --with-aarch64 --with-libcap-ng=yes --without-golang \ --enable-experimental --with-io_uring make ``` -------------------------------- ### Legacy Audit Daemon Signal Handling Scripts Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md These scripts, located in /usr/libexec/initscripts/legacy-actions/, are wrappers for 'auditctl --signal' and are necessary for sending signals to the audit daemon in the user's login context, preserving audit trail integrity. ```shell /usr/libexec/initscripts/legacy-actions/ ``` -------------------------------- ### Phase 0 tls_allowed_clients File Format Source: https://github.com/linux-audit/audit-userspace/wiki/TLS-Phase-0-Details Defines the format for the `tls_allowed_clients` file, specifying columns for identity, status, and notes. Blank lines and comments are ignored. ```text # identity status notes host-1234 enabled prod web host host-5678 disabled retired ``` -------------------------------- ### Run Self-Tests for Audit Userspace Source: https://github.com/linux-audit/audit-userspace/blob/master/AGENTS.md Execute the package's self-tests using 'make check' after compilation. This typically uses the uninstalled binaries to verify functionality. ```bash 2. Type 'make' to compile the package. 3. Optionally, type 'make check' to run any self-tests that come with the package, generally using the just-built uninstalled binaries. ``` -------------------------------- ### Generate Syscall Table with Python Source: https://github.com/linux-audit/audit-userspace/blob/master/lib/syscall-update.txt This Python script uses the 'system-calls' package to generate a syscall table for a specified architecture. It handles unsupported syscalls and checks for duplicate numbers. ```python #!/usr/bin/python3 import system_calls import sys syscalls = system_calls.syscalls() table = {} for syscall_name in syscalls.names(): num = None try: num = syscalls.get(syscall_name, "riscv64") except system_calls.NotSupportedSystemCall: pass if num is not None: if num in table: print("This is bad!") sys.exit(1) table[num] = syscall_name for key, value in sorted(table.items(), key=lambda item: int(item[0])): print("_S({} \"{}\")".format(key, value)) ``` -------------------------------- ### Phase 0 TLS Handshake Flow with PSK Callback Source: https://github.com/linux-audit/audit-userspace/wiki/TLS-Phase-0-Details Illustrates the decision process within the auditd server-side PSK callback for Phase 0, including identity validation and PSK retrieval. ```text identity = identity supplied to the OpenSSL server PSK callback if identity is empty, malformed, unknown, or disabled: record failure reason fail the handshake if using the Phase 0 single tls_psk_file prototype: if tls_allowed_clients has more than one enabled identity: fail configuration load psk = contents of tls_psk_file else: psk = lookup identity in the future tls_psk_store if psk lookup fails: record failure reason fail the handshake create the SSL_SESSION or PSK result for OpenSSL using psk OpenSSL verifies the binder and finishes or rejects the handshake ``` -------------------------------- ### CI Build and Test Commands for Audit Userspace Source: https://github.com/linux-audit/audit-userspace/blob/master/AGENTS.md Commands used in a CI workflow to build and run tests for the audit-userspace project. Utilizes 'autoreconf', 'configure', 'make', and 'make check' with parallel build options. ```yaml - name: Build run: | autoreconf -f --install ./configure --with-python3=yes --enable-gssapi-krb5=yes \ --with-arm --with-aarch64 --with-libcap-ng=yes \ --without-golang --enable-zos-remote \ --enable-experimental --with-io_uring make -j$(nproc) - name: Run tests run: make check ``` -------------------------------- ### Search for Failed Open Events by User ID Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Find failed 'open' syscall events for a specific user ID (1000). Use `-m PATH` for file-related events, `--success no` for failures, `--syscall open` to filter by the open syscall, and `--loginuid 1000` for the user ID. `-i` interprets numeric IDs. ```bash ausearch -m PATH --success no --syscall open --loginuid 1000 -i ``` -------------------------------- ### Check Audit System Status Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Use `auditctl -s` to view basic performance metrics like kernel backlog size, current backlog, and lost events. Adjust backlog size based on auditing needs; 8k or larger is recommended for heavy auditing, while 256 may suffice for casual SELinux event collection. ```bash auditctl -s ``` -------------------------------- ### Summarize Programs by Unsuccessful Access Key Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Summarize programs associated with the 'unsuccessful-access' key this month. `ausearch --key unsuccessful-access --raw` outputs raw events for the key, piped to `aureport -x --summary -i` to summarize programs and interpret IDs. ```bash ausearch --start this-month --key unsuccessful-access --raw | aureport -x --summary -i ``` -------------------------------- ### Report Hosts User Logged In From Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Identify the hosts from which users logged in this week. `ausearch -m user_login --raw` outputs raw user login events, piped to `aureport --host --summary` to summarize by host. ```bash ausearch --start this-week -m user_login --raw | aureport --host --summary ``` -------------------------------- ### Extract Syscalls using sed and awk (4.19+ Kernels) Source: https://github.com/linux-audit/audit-userspace/blob/master/lib/syscall-update.txt This command extracts syscalls from unistd.h for newer kernels (4.19+). Manual editing is still necessary. ```bash cat unistd.h | grep '^#define __NR_' | sed 's/__NR_//g' | awk '{ printf "_S(%s, \"%s\")\n", $3, $2 }; ' ``` -------------------------------- ### Extract Syscalls using awk Source: https://github.com/linux-audit/audit-userspace/blob/master/lib/syscall-update.txt Use this command to extract syscall information from unistd.h for older kernels. It requires manual editing afterward. ```bash cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; ' ``` -------------------------------- ### Report Log File Time Ranges Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Display a report of all log files and the time ranges they cover. The `-t` option specifically requests this information. ```bash aureport -t ``` -------------------------------- ### Output Audit Events as Simple Sentences Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Use the `--format text` option with ausearch to convert audit events into human-readable sentences describing the event. This can help in understanding event meanings, though new events may not always have a mapping. ```bash ausearch --format text ``` -------------------------------- ### Search for Failed Logins Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Use ausearch to find all failed user login events. The `-m USER_LOGIN` flag specifies the message type, and `--success no` filters for unsuccessful attempts. The `-i` flag interprets numeric IDs into text. ```bash ausearch -m USER_LOGIN --success no -i ``` -------------------------------- ### Audit Rule File Organization Source: https://github.com/linux-audit/audit-userspace/blob/master/AGENTS.md Describes the organization of audit rule files intended for 'augenrules'. Files are grouped by numerical prefixes (10-90) to ensure a specific processing order, from kernel configuration to finalization. ```text This group of rules are meant to be used with the augenrules program. The augenrules program expects rules to be located in /etc/audit/rules.d/ The rules will get processed in a specific order based on their natural sort order. To make things easier to use, the files in this directory are organized into groups with the following meanings: 10 - Kernel and auditctl configuration 20 - Rules that could match general rules but we want a different match 30 - Main rules 40 - Optional rules 50 - Server Specific rules 70 - System local rules 90 - Finalize (immutable) ``` -------------------------------- ### Monitor Auditd Daemon State Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Check the `auditd` daemon's internal metrics by running `auditctl --signal state` or by examining the `/run/audit/auditd.state` file. This provides details on log sizes, partition space, plugin queue depth, and memory usage. For continuous updates, configure `report_interval` in `auditd.conf` (requires audit-4.0.5 or later). ```bash auditctl --signal state ``` ```text audit version = 4.0.5 current time = 06/02/25 20:21:31 process priority = -4 writing to logs = yes current log size = 2423 KiB max log size = 8192 KiB logs detected last rotate/shift = 0 space left on partition = yes Logging partition free space 45565 MiB space_left setting 75 MiB admin_space_left setting 50 MiB logging suspended = no file system space action performed = no admin space action performed = no disk error detected = no Number of active plugins = 1 current plugin queue depth = 0 max plugin queue depth used = 5 plugin queue size = 2000 plugin queue overflow detected = no plugin queueing suspended = no listening for network connections = no glibc arena (total memory) is: 388 KiB, was: 388 KiB glibc uordblks (in use memory) is: 92 KiB, was: 90 KiB glibc fordblks (total free space) is: 295 KiB, was: 297 KiB ``` -------------------------------- ### Audit Event Preamble Structure Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md All audit events begin with a standard preamble that includes the record type, timestamp, and serial number. This structure is consistent across different event types. ```text type= msg=audit(1679598373.352:1256072): ``` -------------------------------- ### Field Comparison with Raw String Source: https://github.com/linux-audit/audit-userspace/blob/master/auparse/expression-design.txt Use 'r=' or 'r!=' to compare the raw string of a field. This is useful for exact string matching as stored in the audit record. The comparison is false if the field is not present. ```audit (field r= "") || (field r!= "") ``` -------------------------------- ### Virtual Field Timestamp Comparison Source: https://github.com/linux-audit/audit-userspace/blob/master/auparse/expression-design.txt Compare the event's timestamp using the \\timestamp virtual field. The value must be in 'ts:seconds.milli' format. ```audit \\timestamp = "ts:1678886400.123" ``` -------------------------------- ### Field Comparison with Value Source: https://github.com/linux-audit/audit-userspace/blob/master/auparse/expression-design.txt Use comparison operators like '<', '<=', '==', '>', '>=', '!==' to compare the 'value' of a field. Note that 'value' is not currently defined for audit record fields. An error is reported if a field does not define a 'value'. ```audit field == 10 ``` -------------------------------- ### Output Audit Events in CSV Format Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md Use the `--format csv` option with ausearch to output audit events in a comma-separated value format, suitable for data analysis in tools like Excel or pandas. This normalizes the event data. ```bash ausearch --format csv ``` -------------------------------- ### Audit Rule File Numbering Convention Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md The leading number in audit rule filenames indicates their suggested order of processing. This convention helps in organizing rules for the augenrules program. ```shell 10 - Kernel and auditctl configuration 20 - Rules that could match general rules - but we want a different match (override) 30 - Main rules 40 - Optional rules 50 - Server Specific rules 70 - System local rules 90 - Finalize (immutable) ``` -------------------------------- ### Field Comparison with Interpreted String Source: https://github.com/linux-audit/audit-userspace/blob/master/auparse/expression-design.txt Use 'i=' or 'i!=' to compare the interpreted string of a field. This provides a user-readable interpretation of the field value. The comparison is false if the field is not present or does not define an interpreted string. ```audit field i= "some_value" ``` -------------------------------- ### Preventing Manual Audit Daemon Stops Source: https://github.com/linux-audit/audit-userspace/blob/master/README.md This setting in the auditd service file prevents systemctl from stopping the audit system, ensuring compliance with security standards that require monitoring audit trail configuration. ```shell RefuseManualStop=yes ``` -------------------------------- ### Virtual Field Record Type Comparison Source: https://github.com/linux-audit/audit-userspace/blob/master/auparse/expression-design.txt Filter events based on their record type using the \\record_type virtual field. The value can be the record type name or its decimal representation. ```audit \\record_type = "SYSCALL" ``` -------------------------------- ### Negating a Field Presence Check Source: https://github.com/linux-audit/audit-userspace/blob/master/auparse/expression-design.txt This expression is true if the specified field is NOT present in the audit record. It uses logical NOT and the raw string comparison to achieve this. ```audit !(field r= "") || (field r!= "") ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.