Page 1 of 2

Supraudit JSON output malformed?

PostPosted: Mon May 14, 2018 8:11 pm
by scheb
I'm trying to output network audit entries using supraudit and my tools are choking on the JSON output that is produced. The JSON being output isn't passing the lint test and i believe it's due to the insertion of the IP info.

example command: supraudit -J -F net /var/audit/current

example result:
{ "timestamp" : "1526327014.081", "procName" : "Microsoft", "pid" : 10963, "uid" : 501 , "eventType" : "connect" , "fd" : 16, INET4 X.X.X.X:443 "retVal" : -1, "error" : "Operation now in progress" }

I think a comma needs to be added after the address and wrap and split the family and address:port in quotes.

FROM: "fd" : 16, INET4 X.X.X.X:443 "retVal" : -1

TO: "fd" : 16, "INET4":"X.X.X.X:443", "retVal" : -1

Thoughts?

Re: Supraudit JSON output malformed?

PostPosted: Mon May 14, 2018 11:50 pm
by morpheus
Thank you for letting me know! It's a minor bug, with a quick fix. Try the attached. (I'll admit I'm not a fan of JSON, so that output hasn't been rigorously tested).

And thanks for using my tools! If you have any other ideas for improvements, let me know!

** EDIT ** Added a fix. Saw the missing comma and added it. Then saw your reply :-) But also forgot about INET6, Now fixed that too. AND, put a new feature from the Pro version, that you might want to try :-)

Re: Supraudit JSON output malformed?

PostPosted: Tue May 15, 2018 2:18 am
by scheb
Almost there!

Still need a comma after the "INET4":"X.X.X.X:443",

Also need to wrap the INET6 family in quotes and the comma - "INET6" : "fe80::46a:dc7c:d5ae:f72d",

and then I think it will pass lint!

Thanks!

Re: Supraudit JSON output malformed?

PostPosted: Wed May 16, 2018 4:13 pm
by scheb
morpheus wrote:Thank you for letting me know! It's a minor bug, with a quick fix. Try the attached. (I'll admit I'm not a fan of JSON, so that output hasn't been rigorously tested).

And thanks for using my tools! If you have any other ideas for improvements, let me know!

** EDIT ** Added a fix. Saw the missing comma and added it. Then saw your reply :-) But also forgot about INET6, Now fixed that too. AND, put a new feature from the Pro version, that you might want to try :-)


One more thing... we need to trim the trailing comma (after the last event) at the end of the json:

{ "events" : [
{ "event" },
{ "event" },
{ "event" },
]
}

Also went ahead and tested all three filters and un-filtered output - without the trailing comma, the filtered output all pass lint. But, I found some more bugs in the un-filtered output:

Same issue as INET4 (wrap socket label and socket value in quotes and add comma)
{
"timestamp": "1526483136.990",
"procName": "Enterprise",
"pid": 950,
"uid": 501,
"eventType": "connect",
"fd": 9,
"socket": "/var/run / mDNSResponder", "retVal": 0
},

Duplicate label names - name
{
"timestamp": "1526483133.651",
"procName": "sysmond",
"pid": 273,
"uid": 0,
"eventType": "sysctl (non admin)",
"name": 1,
"name": 49,
"name": 13415,
"retVal": 0
},

Duplicate label names - cmd and arg
{
"timestamp": "1526483133.652",
"procName": "",
"pid": 44192,
"uid": 0,
"eventType": "ioctl",
"fd": 3,
"cmd": "0x80086804",
"cmd": 2148034564,
"arg": "0x7ffee81bd268",
"arg": 140732792558184,
"path": "/dev/dtracehelper",
"retVal": -1,
"error": "Permission denied"
},

Duplicate label names - addr
{
"timestamp": "1526483133.652",
"procName": "",
"pid": 44192,
"uid": 0,
"eventType": "mprotect",
"addr": "0x107a50000",
"addr": 4423221248,
"len": 4096,
"protection": 0,
"retVal": 0
},

Duplicate label names - cmd
{
"timestamp": "1526483133.652",
"procName": "VShieldScanner",
"pid": 705,
"uid": 0,
"eventType": "fcntl",
"fd": 19,
"cmd": "0x4",
"cmd": 4,
"fd flags": 0,
"retVal": 0
},

Thank you so much for your quick responses!

I tried out the new feature but i didn't see it logging - running as root: supraudit -L /var/audit/current - getting nothing but a bunch of opendirectoryd messages in console.app (enabled info/debug messages).

info 10:55:52.803849 -0500 opendirectoryd UID: 0, EUID: 0, GID: 0, EGID: 0
info 10:55:52.803892 -0500 opendirectoryd RPC: getpwuid, Module: SystemCache, rpc_version: 2, uid: 4294967295
info 10:55:52.804022 -0500 opendirectoryd an error of 2 'record not found' occurred
default 10:55:52.804081 -0500 opendirectoryd getpwuid failed with result Not Found

Re: Supraudit JSON output malformed?

PostPosted: Thu May 17, 2018 12:10 pm
by morpheus
I'll fix that soon. As for -L, I made a booboo - it logs to os_log in that version (try /usr/bin/log stream) since syslog now redirects to os_log. I'll upload one that can do full syslog soon.

Re: Supraudit JSON output malformed?

PostPosted: Mon May 21, 2018 8:22 pm
by scheb
morpheus wrote:I'll fix that soon. As for -L, I made a booboo - it logs to os_log in that version (try /usr/bin/log stream) since syslog now redirects to os_log. I'll upload one that can do full syslog soon.


Running (as root) supraudit -L /var/audit/current, then log stream --last 2m shows me:

2018-05-21 14:55:37.744893-0500 0x1d14e Activity 0x20a2d 122 0 opendirectoryd: (SystemCache) Async refresh POSIX-related details for cache entry
2018-05-21 14:55:37.745061-0500 0x1d161 Default 0x20a32 122 0 opendirectoryd: [com.apple.opendirectoryd:session] getpwuid failed with result Not Found
2018-05-21 14:55:37.748772-0500 0x1d214 Activity 0x20a33 8712 0 supraudit: (libsystem_info.dylib) Retrieve User by ID

Same as with supraudit -L /dev/auditpipe.

What am I missing?

Re: Supraudit JSON output malformed?

PostPosted: Tue May 22, 2018 4:11 am
by morpheus
Weird. I can't replicate this. Maybe your syslog config suppresses output? With log stream you should be able to see this. Also make sure -L -S (for supraudit format)

Attached is a build which validates with json_pp, per your earlier comments.

Re: Supraudit JSON output malformed?

PostPosted: Tue May 22, 2018 4:28 pm
by scheb
morpheus wrote:Weird. I can't replicate this. Maybe your syslog config suppresses output? With log stream you should be able to see this. Also make sure -L -S (for supraudit format)

Attached is a build which validates with json_pp, per your earlier comments.


With the latest build, the trailing comma is gone, but we have another problem. :cry: using the -F switch now results in a bunch of empty entries where the content has been filtered.

Example: supraudit -J -F net /var/audit/current returns something like the following
Code: Select all
 { "events" : [
,
,
,
,
,
,
{ "timestamp" : "1527004330.396", "procName" : "mDNSResponder", "pid" : 252,  "uid" :  65 , "eventType" : "sendto" ,  "fd" : 7, "INET4" : "224.0.0.251:5353",  "retVal" : 137 },
,
,
,
,
,
{ "timestamp" : "1527004332.803", "procName" : "netbiosd", "pid" : 20185,  "uid" : 222 , "eventType" : "recvmsg" ,  "fd" : 3, "INET4" : "10.53.129.51:137",  "retVal" : 50 }]
}


On the flipside, supraudit -L -S /var/audit/current works great! even with the May 14 build, I can see log entries in unified logging, so os_log is working after all, as long as -S is included.

Thanks!

Re: Supraudit JSON output malformed?

PostPosted: Wed May 23, 2018 2:56 am
by morpheus
oopsie. Fixed those -F bugs.

Re: Supraudit JSON output malformed?

PostPosted: Fri May 25, 2018 6:09 pm
by scheb
morpheus wrote:oopsie. Fixed those -F bugs.


Wow - we are so close! In testing the latest build, i stumbled upon one more:

{
"timestamp": "1527268309.522",
"procName": "Microsoft",
"pid": 48013,
"uid": 501,
"eventType": "ioctl",
"cmd": "0xc0407398",
"arg": "0x70000fb154f0",
"INET":"10.53 .129 .50: -6639 - > 13.107 .6 .151: 443", "retVal": 0
}

There's also some odd stdout output that is being inserted randomly. Is this happening because the audit log file is rolling?
1527268326.706| WARNING |00000/000|AUE_AUDIT detected - someone could be trying to shutdown auditing
AUT_SUBJECT32_EX

Any way to suppress them when using JSON output?

Thanks!