https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi, I was looking at user_events on linux when an ...
# linux
p
Hi, I was looking at user_events on linux when an ssh login fails. It looks like the message field truncates anything after the first space. Thoughts? (will post details in thread)
results log: ```
Copy code
[
  {
    "name": "all_user_events",
    "hostIdentifier": "ubuntu",
    "calendarTime": "Wed Aug 21 15:13:09 2019 UTC",
    "unixTime": "1566400389",
    "epoch": 0,
    "counter": 0,
    "log_type": "result",
    "columns": {
      "address": "127.0.0.1",
      "auid": "4294967295",
      "message": "op=login",
      "path": "/usr/sbin/sshd",
      "pid": "97970",
      "terminal": "sshd",
      "time": "",
      "type": "1112",
      "uid": "0",
      "uptime": "49515"
    },
    "action": "added"
  },
  {
    "name": "all_user_events",
    "hostIdentifier": "ubuntu",
    "calendarTime": "Wed Aug 21 15:13:09 2019 UTC",
    "unixTime": "1566400389",
    "epoch": 0,
    "counter": 0,
    "log_type": "result",
    "columns": {
      "address": "127.0.0.1",
      "auid": "4294967295",
      "message": "op=PAM:authentication",
      "path": "/usr/sbin/sshd",
      "pid": "97970",
      "terminal": "ssh",
      "time": "",
      "type": "1100",
      "uid": "0",
      "uptime": "49515"
    },
    "action": "added"
  },
  {
    "name": "all_user_events",
    "hostIdentifier": "ubuntu",
    "calendarTime": "Wed Aug 21 15:13:09 2019 UTC",
    "unixTime": "1566400389",
    "epoch": 0,
    "counter": 0,
    "log_type": "result",
    "columns": {
      "address": "127.0.0.1",
      "auid": "4294967295",
      "message": "op=login",
      "path": "/usr/sbin/sshd",
      "pid": "97970",
      "terminal": "sshd",
      "time": "",
      "type": "1112",
      "uid": "0",
      "uptime": "49515"
    },
    "action": "added"
  }
]
audit-debug output:
Copy code
1112, audit(1566400374.866:261): pid=97970 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=sshd res=failed'
1300, audit(1566400376.394:262): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fdf339232a0 a2=6e a3=ffffffa9 items=1 ppid=115255 pid=97970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key=(null)
1306, audit(1566400376.394:262): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1307, audit(1566400376.394:262): cwd="/"
1302, audit(1566400376.394:262): item=0 name="/dev/log" inode=295 dev=00:17 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
1327, audit(1566400376.394:262): proctitle=2F7573722F7362696E2F73736864002D44002D52
1320, audit(1566400376.394:262): 
1300, audit(1566400378.206:263): arch=c000003e syscall=49 success=yes exit=0 a0=9 a1=7ffcb2d76808 a2=c a3=1d items=0 ppid=115255 pid=97970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key=(null)
1306, audit(1566400378.206:263): saddr=100000000000000000000000
1327, audit(1566400378.206:263): proctitle=2F7573722F7362696E2F73736864002D44002D52
1320, audit(1566400378.206:263): 
1100, audit(1566400378.206:264): pid=97970 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=failed'
1112, audit(1566400378.206:265): pid=97970 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=sshd res=failed'
1300, audit(1566400380.354:266): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fdf339232a0 a2=6e a3=ffffffb4 items=1 ppid=115255 pid=97970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key=(null)
1306, audit(1566400380.354:266): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1307, audit(1566400380.354:266): cwd="/"
1302, audit(1566400380.354:266): item=0 name="/dev/log" inode=295 dev=00:17 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
1327, audit(1566400380.354:266): proctitle=2F7573722F7362696E2F73736864002D44002D52
5 Views
Open in Slack
PreviousNext
Powered by