Supraudit JSON output malformed?

Used for discussing the various tools in the book as well as encouraging members to share tools

Supraudit JSON output malformed?

Postby scheb » Mon May 14, 2018 8:11 pm

I'm trying to output network audit entries using supraudit and my tools are choking on the JSON output that is produced. The JSON being output isn't passing the lint test and i believe it's due to the insertion of the IP info.

example command: supraudit -J -F net /var/audit/current

example result:
{ "timestamp" : "1526327014.081", "procName" : "Microsoft", "pid" : 10963, "uid" : 501 , "eventType" : "connect" , "fd" : 16, INET4 X.X.X.X:443 "retVal" : -1, "error" : "Operation now in progress" }

I think a comma needs to be added after the address and wrap and split the family and address:port in quotes.

FROM: "fd" : 16, INET4 X.X.X.X:443 "retVal" : -1

TO: "fd" : 16, "INET4":"X.X.X.X:443", "retVal" : -1

Thoughts?
scheb
 
Posts: 7
Joined: Mon May 14, 2018 7:48 pm

Re: Supraudit JSON output malformed?

Postby morpheus » Mon May 14, 2018 11:50 pm

Thank you for letting me know! It's a minor bug, with a quick fix. Try the attached. (I'll admit I'm not a fan of JSON, so that output hasn't been rigorously tested).

And thanks for using my tools! If you have any other ideas for improvements, let me know!

** EDIT ** Added a fix. Saw the missing comma and added it. Then saw your reply :-) But also forgot about INET6, Now fixed that too. AND, put a new feature from the Pro version, that you might want to try :-)
Attachments
supraudit.tgz
(22.31 KiB) Downloaded 29 times
morpheus
Site Admin
 
Posts: 665
Joined: Thu Apr 11, 2013 6:24 pm

Re: Supraudit JSON output malformed?

Postby scheb » Tue May 15, 2018 2:18 am

Almost there!

Still need a comma after the "INET4":"X.X.X.X:443",

Also need to wrap the INET6 family in quotes and the comma - "INET6" : "fe80::46a:dc7c:d5ae:f72d",

and then I think it will pass lint!

Thanks!
scheb
 
Posts: 7
Joined: Mon May 14, 2018 7:48 pm

Re: Supraudit JSON output malformed?

Postby scheb » Wed May 16, 2018 4:13 pm

morpheus wrote:Thank you for letting me know! It's a minor bug, with a quick fix. Try the attached. (I'll admit I'm not a fan of JSON, so that output hasn't been rigorously tested).

And thanks for using my tools! If you have any other ideas for improvements, let me know!

** EDIT ** Added a fix. Saw the missing comma and added it. Then saw your reply :-) But also forgot about INET6, Now fixed that too. AND, put a new feature from the Pro version, that you might want to try :-)


One more thing... we need to trim the trailing comma (after the last event) at the end of the json:

{ "events" : [
{ "event" },
{ "event" },
{ "event" },
]
}

Also went ahead and tested all three filters and un-filtered output - without the trailing comma, the filtered output all pass lint. But, I found some more bugs in the un-filtered output:

Same issue as INET4 (wrap socket label and socket value in quotes and add comma)
{
"timestamp": "1526483136.990",
"procName": "Enterprise",
"pid": 950,
"uid": 501,
"eventType": "connect",
"fd": 9,
"socket": "/var/run / mDNSResponder", "retVal": 0
},

Duplicate label names - name
{
"timestamp": "1526483133.651",
"procName": "sysmond",
"pid": 273,
"uid": 0,
"eventType": "sysctl (non admin)",
"name": 1,
"name": 49,
"name": 13415,
"retVal": 0
},

Duplicate label names - cmd and arg
{
"timestamp": "1526483133.652",
"procName": "",
"pid": 44192,
"uid": 0,
"eventType": "ioctl",
"fd": 3,
"cmd": "0x80086804",
"cmd": 2148034564,
"arg": "0x7ffee81bd268",
"arg": 140732792558184,
"path": "/dev/dtracehelper",
"retVal": -1,
"error": "Permission denied"
},

Duplicate label names - addr
{
"timestamp": "1526483133.652",
"procName": "",
"pid": 44192,
"uid": 0,
"eventType": "mprotect",
"addr": "0x107a50000",
"addr": 4423221248,
"len": 4096,
"protection": 0,
"retVal": 0
},

Duplicate label names - cmd
{
"timestamp": "1526483133.652",
"procName": "VShieldScanner",
"pid": 705,
"uid": 0,
"eventType": "fcntl",
"fd": 19,
"cmd": "0x4",
"cmd": 4,
"fd flags": 0,
"retVal": 0
},

Thank you so much for your quick responses!

I tried out the new feature but i didn't see it logging - running as root: supraudit -L /var/audit/current - getting nothing but a bunch of opendirectoryd messages in console.app (enabled info/debug messages).

info 10:55:52.803849 -0500 opendirectoryd UID: 0, EUID: 0, GID: 0, EGID: 0
info 10:55:52.803892 -0500 opendirectoryd RPC: getpwuid, Module: SystemCache, rpc_version: 2, uid: 4294967295
info 10:55:52.804022 -0500 opendirectoryd an error of 2 'record not found' occurred
default 10:55:52.804081 -0500 opendirectoryd getpwuid failed with result Not Found
scheb
 
Posts: 7
Joined: Mon May 14, 2018 7:48 pm

Re: Supraudit JSON output malformed?

Postby morpheus » Thu May 17, 2018 12:10 pm

I'll fix that soon. As for -L, I made a booboo - it logs to os_log in that version (try /usr/bin/log stream) since syslog now redirects to os_log. I'll upload one that can do full syslog soon.
morpheus
Site Admin
 
Posts: 665
Joined: Thu Apr 11, 2013 6:24 pm

Re: Supraudit JSON output malformed?

Postby scheb » Mon May 21, 2018 8:22 pm

morpheus wrote:I'll fix that soon. As for -L, I made a booboo - it logs to os_log in that version (try /usr/bin/log stream) since syslog now redirects to os_log. I'll upload one that can do full syslog soon.


Running (as root) supraudit -L /var/audit/current, then log stream --last 2m shows me:

2018-05-21 14:55:37.744893-0500 0x1d14e Activity 0x20a2d 122 0 opendirectoryd: (SystemCache) Async refresh POSIX-related details for cache entry
2018-05-21 14:55:37.745061-0500 0x1d161 Default 0x20a32 122 0 opendirectoryd: [com.apple.opendirectoryd:session] getpwuid failed with result Not Found
2018-05-21 14:55:37.748772-0500 0x1d214 Activity 0x20a33 8712 0 supraudit: (libsystem_info.dylib) Retrieve User by ID

Same as with supraudit -L /dev/auditpipe.

What am I missing?
scheb
 
Posts: 7
Joined: Mon May 14, 2018 7:48 pm

Re: Supraudit JSON output malformed?

Postby morpheus » Tue May 22, 2018 4:11 am

Weird. I can't replicate this. Maybe your syslog config suppresses output? With log stream you should be able to see this. Also make sure -L -S (for supraudit format)

Attached is a build which validates with json_pp, per your earlier comments.
Attachments
supraudit.tgz
(22.45 KiB) Downloaded 22 times
morpheus
Site Admin
 
Posts: 665
Joined: Thu Apr 11, 2013 6:24 pm

Re: Supraudit JSON output malformed?

Postby scheb » Tue May 22, 2018 4:28 pm

morpheus wrote:Weird. I can't replicate this. Maybe your syslog config suppresses output? With log stream you should be able to see this. Also make sure -L -S (for supraudit format)

Attached is a build which validates with json_pp, per your earlier comments.


With the latest build, the trailing comma is gone, but we have another problem. :cry: using the -F switch now results in a bunch of empty entries where the content has been filtered.

Example: supraudit -J -F net /var/audit/current returns something like the following
Code: Select all
 { "events" : [
,
,
,
,
,
,
{ "timestamp" : "1527004330.396", "procName" : "mDNSResponder", "pid" : 252,  "uid" :  65 , "eventType" : "sendto" ,  "fd" : 7, "INET4" : "224.0.0.251:5353",  "retVal" : 137 },
,
,
,
,
,
{ "timestamp" : "1527004332.803", "procName" : "netbiosd", "pid" : 20185,  "uid" : 222 , "eventType" : "recvmsg" ,  "fd" : 3, "INET4" : "10.53.129.51:137",  "retVal" : 50 }]
}


On the flipside, supraudit -L -S /var/audit/current works great! even with the May 14 build, I can see log entries in unified logging, so os_log is working after all, as long as -S is included.

Thanks!
scheb
 
Posts: 7
Joined: Mon May 14, 2018 7:48 pm

Re: Supraudit JSON output malformed?

Postby morpheus » Wed May 23, 2018 2:56 am

oopsie. Fixed those -F bugs.
Attachments
supraudit.tgz
(22.52 KiB) Downloaded 29 times
morpheus
Site Admin
 
Posts: 665
Joined: Thu Apr 11, 2013 6:24 pm

Re: Supraudit JSON output malformed?

Postby scheb » Fri May 25, 2018 6:09 pm

morpheus wrote:oopsie. Fixed those -F bugs.


Wow - we are so close! In testing the latest build, i stumbled upon one more:

{
"timestamp": "1527268309.522",
"procName": "Microsoft",
"pid": 48013,
"uid": 501,
"eventType": "ioctl",
"cmd": "0xc0407398",
"arg": "0x70000fb154f0",
"INET":"10.53 .129 .50: -6639 - > 13.107 .6 .151: 443", "retVal": 0
}

There's also some odd stdout output that is being inserted randomly. Is this happening because the audit log file is rolling?
1527268326.706| WARNING |00000/000|AUE_AUDIT detected - someone could be trying to shutdown auditing
AUT_SUBJECT32_EX

Any way to suppress them when using JSON output?

Thanks!
scheb
 
Posts: 7
Joined: Mon May 14, 2018 7:48 pm

Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest