microsoft
/
OMS-Auditd-Plugin
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix RawEventAccumulator (#48) 

- Fix RawEventAccumulator so EOE records are not erroneously ignored
- Add missing containerid to TestEventData
- Bump version to 2.2.4
This commit is contained in:
Tad Glines 2020-06-24 15:05:04 -07:00 коммит произвёл GitHub
Родитель 35bf35c9fd
Коммит a9864ac85e
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
8 изменённых файлов: 94 добавлений и 59 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
Cache.h
Просмотреть файл

@ -80,11 +80,11 @@ public:
return false;
}
bool on(const K& key, const std::function<CacheEntryOP(const std::chrono::steady_clock::time_point& last_touched, V& value)>& fn) {
bool on(const K& key, const std::function<CacheEntryOP(size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, V& value)>& fn) {
auto itr = _entries.find(key);
if (itr != _entries.end()) {
auto entry = itr->second;
auto op = fn(entry->_last_touched, entry->_item);
auto op = fn(_entries.size(), entry->_last_touched, entry->_item);
if (op == CacheEntryOP::TOUCH) {
touch(entry);
} else if (op == CacheEntryOP::REMOVE) {
@ -95,11 +95,11 @@ public:
return false;
}
void for_all_oldest_first(const std::function<CacheEntryOP(const std::chrono::steady_clock::time_point& last_touched, const K& key, V& value)>& fn) {
void for_all_oldest_first(const std::function<CacheEntryOP(size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, const K& key, V& value)>& fn) {
auto now = std::chrono::steady_clock::now();
while (_oldest._newer != &_newest) {
auto entry = _oldest._newer;
auto op = fn(entry->_last_touched, entry->_key, entry->_item);
auto op = fn(_entries.size(), entry->_last_touched, entry->_key, entry->_item);
switch (op) {
case CacheEntryOP::TOUCH:
touch(entry);
@ -113,11 +113,11 @@ public:
}
}
void for_all_newest_first(const std::function<CacheEntryOP(const std::chrono::steady_clock::time_point& last_touched, const K& key, V& value)>& fn) {
void for_all_newest_first(const std::function<CacheEntryOP(size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, const K& key, V& value)>& fn) {
auto now = std::chrono::steady_clock::now();
while (_newest._older != &_oldest) {
auto entry = _newest._older;
auto op = fn(entry->_last_touched, entry->_key, entry->_item);
auto op = fn(_entries.size(), entry->_last_touched, entry->_key, entry->_item);
switch (op) {
case CacheEntryOP::TOUCH:
touch(entry);

8
EventProcessorTests.cpp
Просмотреть файл

@ -267,7 +267,9 @@ BOOST_AUTO_TEST_CASE( basic_test ) {
RawEventAccumulator accumulator(actual_raw_builder, metrics);
for (auto raw_event : raw_test_events) {
for (int i = 0; i < raw_test_events.size(); i++) {
auto raw_event = raw_test_events[i];
auto do_flush = raw_events_do_flush[i];
std::string event_txt = raw_event;
auto lines = split(event_txt, '\n');
for (auto& line: lines) {
@ -279,7 +281,9 @@ BOOST_AUTO_TEST_CASE( basic_test ) {
Logger::Warn("Received unparsable event data: %s", line.c_str());
}
}
accumulator.Flush(0);
if (do_flush) {
accumulator.Flush(0);
}
}
BOOST_REQUIRE_EQUAL(expected_queue->GetEventCount(), actual_queue->GetEventCount());

28
RawEventAccumulator.cpp
Просмотреть файл

@ -62,13 +62,7 @@ bool RawEvent::AddRecord(std::unique_ptr<RawEventRecord> record) {
}
}
if (rtype < RecordType::FIRST_EVENT ||
rtype >= RecordType::FIRST_ANOM_MSG ||
rtype == RecordType::KERNEL) {
return true;
}
return false;
return IsSingleRecordEvent(rtype);
}
int RawEvent::AddEvent(EventBuilder& builder) {
@ -140,13 +134,14 @@ int RawEventAccumulator::AddRecord(std::unique_ptr<RawEventRecord> record) {
_bytes_metric->Add(static_cast<double>(record->GetSize()));
_record_metric->Add(1.0);
if (record->IsEmpty()) {
// Drop empty records unless it is the EOE record.
if (record->IsEmpty() && record->GetRecordType() != RecordType::EOE) {
return 0;
}
auto event_id = record->GetEventId();
int ret = 0;
auto found = _events.on(event_id, [this,&record,&ret](const std::chrono::steady_clock::time_point& last_touched, std::shared_ptr<RawEvent>& event) {
auto found = _events.on(event_id, [this,&record,&ret](size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, std::shared_ptr<RawEvent>& event) {
if (event->AddRecord(std::move(record))) {
ret = event->AddEvent(*_builder);
return CacheEntryOP::REMOVE;
@ -163,6 +158,15 @@ int RawEventAccumulator::AddRecord(std::unique_ptr<RawEventRecord> record) {
_events.add(event_id, event);
}
}
// Don't wait for Flush to be called, preemptively flush oldest if the cache size limit is exceeded
_events.for_all_oldest_first([this](size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, const EventId& key, std::shared_ptr<RawEvent>& event) {
if (entry_count > MAX_CACHE_ENTRY) {
event->AddEvent(*_builder);
_event_metric->Add(1.0);
return CacheEntryOP::REMOVE;
}
return CacheEntryOP::STOP;
});
return 1;
}
@ -171,8 +175,8 @@ void RawEventAccumulator::Flush(long milliseconds) {
auto now = std::chrono::steady_clock::now();
std::lock_guard<std::mutex> lock(_mutex);
_events.for_all_oldest_first([this,now,milliseconds](const std::chrono::steady_clock::time_point& last_touched, const EventId& key, std::shared_ptr<RawEvent>& event) {
if (std::chrono::duration_cast<std::chrono::milliseconds>(now.time_since_epoch()-last_touched.time_since_epoch()) > std::chrono::milliseconds(milliseconds)) {
_events.for_all_oldest_first([this,now,milliseconds](size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, const EventId& key, std::shared_ptr<RawEvent>& event) {
if (entry_count > MAX_CACHE_ENTRY || std::chrono::duration_cast<std::chrono::milliseconds>(now.time_since_epoch()-last_touched.time_since_epoch()) > std::chrono::milliseconds(milliseconds)) {
event->AddEvent(*_builder);
_event_metric->Add(1.0);
return CacheEntryOP::REMOVE;
@ -180,7 +184,7 @@ void RawEventAccumulator::Flush(long milliseconds) {
return CacheEntryOP::STOP;
});
} else {
_events.for_all_oldest_first([this](const std::chrono::steady_clock::time_point& last_touched, const EventId& key, std::shared_ptr<RawEvent>& event) {
_events.for_all_oldest_first([this](size_t entry_count, const std::chrono::steady_clock::time_point& last_touched, const EventId& key, std::shared_ptr<RawEvent>& event) {
event->AddEvent(*_builder);
_event_metric->Add(1.0);
return CacheEntryOP::REMOVE;

1
RawEventAccumulator.h
Просмотреть файл

@ -64,6 +64,7 @@ public:
void Flush(long milliseconds);
private:
static constexpr size_t MAX_CACHE_ENTRY = 256;
std::mutex _mutex;
std::shared_ptr<EventBuilder> _builder;
std::shared_ptr<Metrics> _metrics;

4
RecordType.h
Просмотреть файл

@ -259,4 +259,8 @@ enum class RecordType: int {
AUOMS_EXECVE = 14688,
};
constexpr bool IsSingleRecordEvent(RecordType rtype) {
return rtype != RecordType::EOE && (rtype < RecordType::FIRST_EVENT || rtype >= RecordType::FIRST_ANOM_MSG || rtype == RecordType::KERNEL);
}
#endif //AUOMS_RECORDTYPE_H

95
TestEventData.cpp
Просмотреть файл

@ -64,6 +64,7 @@ type=EOE msg=audit(1521757638.392:262334):
)event",
R"event(type=SYSCALL msg=audit(1563459621.014:574): arch=c000003e syscall=159 success=yes exit=0 a0=7ffc9aa65d80 a1=0 a2=270b a3=7ffc9aa65e40 items=0 ppid=1 pid=1655 auid=4294967295 uid=123 gid=132 euid=123 suid=123 fsuid=123 egid=132 sgid=132 fsgid=132 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" key="time-change"
type=PROCTITLE msg=audit(1563459621.014:574): proctitle="/usr/sbin/chronyd"
type=EOE msg=audit(1563459621.014:574):
)event",
R"event(type=SYSCALL msg=audit(1563470055.872:7605215): arch=c000003e syscall=59 success=yes exit=0 a0=ad1150 a1=ad03d0 a2=ad0230 a3=fc2c9fc5 items=2 ppid=16244 pid=91098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" key="auoms"
type=EXECVE msg=audit(1563470055.872:7605215): argc=5 a0="iptables" a1="-w" a2="-t" a3="security" a4="--flush"
@ -71,6 +72,7 @@ type=CWD msg=audit(1563470055.872:7605215): cwd="/var/lib/waagent"
type=PATH msg=audit(1563470055.872:7605215): item=0 name="/usr/sbin/iptables" inode=1579593 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1563470055.872:7605215): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1048670 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=UNKNOWN[1327] msg=audit(1563470055.872:7605215): proctitle=2F62696E2F7368002D630069707461626C6573202D77202D74207365637572697479202D2D666C757368
type=EOE msg=audit(1563470055.872:7605215):
)event",
R"event(type=NETFILTER_CFG msg=audit(1563470055.876:7605216): table=security family=2 entries=4
type=SYSCALL msg=audit(1563470055.876:7605216): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=c31600 items=0 ppid=16244 pid=91098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" key=(null)
@ -80,6 +82,18 @@ type=UNKNOWN[1327] msg=audit(1563470055.876:7605216): proctitle=2F62696E2F736800
type=INTEGRITY_POLICY_RULE audit(1572298453.690:5717): IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] ) [ action = allow ] [ boot_verified = true ]
)event",
};
const std::vector<bool> raw_events_do_flush {
false,
false,
false,
true,
false,
false,
false,
false,
true,
true,
};
const std::vector<TestEvent> test_events {
{1521757638, 392, 262332, 1, 26918, {
@ -128,6 +142,31 @@ const std::vector<TestEvent> test_events {
// EXECVE
{"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
{"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
{1521757638, 392, 262334, 1, -1, {
{static_cast<uint32_t>(RecordType::AUOMS_SYSCALL_FRAGMENT), "AUOMS_SYSCALL_FRAGMENT", "", {
// CWD
{"cwd", "\"/\"", nullptr, field_type_t::ESCAPED},
// PATH
{"name", "\"/usr/bin/logger\"", nullptr, field_type_t::ESCAPED},
{"inode", "312545", nullptr, field_type_t::UNCLASSIFIED},
{"dev", "00:13", nullptr, field_type_t::UNCLASSIFIED},
{"mode", "0100755", "file,755", field_type_t::MODE},
{"ouid", "0", "root", field_type_t::UID},
{"ogid", "0", "root", field_type_t::GID},
{"rdev", "00:00", nullptr, field_type_t::UNCLASSIFIED},
{"nametype", "NORMAL", nullptr, field_type_t::UNCLASSIFIED},
{"path_name", "[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_nametype", "[\"NORMAL\",\"NORMAL\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_mode", "[\"0100755\",\"0100755\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_ouid", "[\"0\",\"0\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_ogid", "[\"0\",\"0\"]", nullptr, field_type_t::UNCLASSIFIED},
// EXECVE
{"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
{"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
{1521757638, 392, 262333, 1, 26918, {
@ -160,29 +199,7 @@ const std::vector<TestEvent> test_events {
// EXECVE
{"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
{"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
}}}
},
{1521757638, 392, 262334, 1, -1, {
{static_cast<uint32_t>(RecordType::AUOMS_SYSCALL_FRAGMENT), "AUOMS_SYSCALL_FRAGMENT", "", {
// CWD
{"cwd", "\"/\"", nullptr, field_type_t::ESCAPED},
// PATH
{"name", "\"/usr/bin/logger\"", nullptr, field_type_t::ESCAPED},
{"inode", "312545", nullptr, field_type_t::UNCLASSIFIED},
{"dev", "00:13", nullptr, field_type_t::UNCLASSIFIED},
{"mode", "0100755", "file,755", field_type_t::MODE},
{"ouid", "0", "root", field_type_t::UID},
{"ogid", "0", "root", field_type_t::GID},
{"rdev", "00:00", nullptr, field_type_t::UNCLASSIFIED},
{"nametype", "NORMAL", nullptr, field_type_t::UNCLASSIFIED},
{"path_name", "[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_nametype", "[\"NORMAL\",\"NORMAL\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_mode", "[\"0100755\",\"0100755\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_ouid", "[\"0\",\"0\"]", nullptr, field_type_t::UNCLASSIFIED},
{"path_ogid", "[\"0\",\"0\"]", nullptr, field_type_t::UNCLASSIFIED},
// EXECVE
{"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
{"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
{1521773704, 435, 270957, 0, -1, {
@ -253,6 +270,7 @@ const std::vector<TestEvent> test_events {
{"exe", "\"/usr/sbin/chronyd\"", nullptr, field_type_t::ESCAPED},
{"key", "\"time-change\"", "time-change", field_type_t::ESCAPED_KEY},
{"proctitle", "/usr/sbin/chronyd", nullptr, field_type_t::PROCTITLE},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
{1563470055, 872, 7605215, 1, 91098, {
@ -301,6 +319,7 @@ const std::vector<TestEvent> test_events {
// EXECVE
{"argc", "5", nullptr, field_type_t::UNCLASSIFIED},
{"cmdline", "iptables -w -t security --flush", nullptr, field_type_t::UNESCAPED},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
{1563470055, 876, 7605216, 1, 91098, {
@ -334,6 +353,7 @@ const std::vector<TestEvent> test_events {
{"NETFILTER_CFG_table", "security", nullptr, field_type_t::UNCLASSIFIED},
{"NETFILTER_CFG_family", "2", nullptr, field_type_t::NFPROTO},
{"NETFILTER_CFG_entries", "4", nullptr, field_type_t::UNCLASSIFIED},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
{1572298453, 690, 5717, 1, 1450, {
@ -364,6 +384,7 @@ const std::vector<TestEvent> test_events {
{"exe", "\"/usr/sbin/agetty\"", nullptr, field_type_t::ESCAPED},
{"key", "(null)", nullptr, field_type_t::ESCAPED_KEY},
{"INTEGRITY_POLICY_RULE_unparsed_text", "IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] ) [ action = allow ] [ boot_verified = true ]", nullptr, field_type_t::UNESCAPED},
{"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
}}}
},
};
@ -376,25 +397,25 @@ const std::vector<const char*> oms_test_events = {
};
*/
const std::vector<const char*> oms_test_events = {
R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262332,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"auoms,execve","key_r":"61756F6D7301657865637665","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \""}]}])event",
R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262333,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"(null)","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \""}]}])event",
R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262334,"ProcessFlags":0,"records":[{"RecordTypeCode":10002,"RecordType":"AUOMS_SYSCALL_FRAGMENT","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \""}]}])event",
R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262332,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"auoms,execve","key_r":"61756F6D7301657865637665","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":""}]}])event",
R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262333,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"(null)","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":""}]}])event",
R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262334,"ProcessFlags":0,"records":[{"RecordTypeCode":10002,"RecordType":"AUOMS_SYSCALL_FRAGMENT","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":""}]}])event",
R"event([1562867403.686,{"MessageType":"AUDIT_EVENT","Timestamp":"1562867403.686","SerialNumber":4179743,"ProcessFlags":0,"records":[{"RecordTypeCode":1112,"RecordType":"USER_LOGIN","pid":"26475","user":"root","uid":"0","audit_user":"user","auid":"1000","ses":"91158","op":"login","id":"user","id_r":"1000","exe":"/usr/sbin/sshd","hostname":"131.107.147.6","addr":"131.107.147.6","terminal":"/dev/pts/0","res":"success"}]}])event",
R"event([1563459621.014,{"MessageType":"AUOMS_EVENT","Timestamp":"1563459621.014","SerialNumber":574,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"adjtimex","success":"yes","exit":"0","a0":"7ffc9aa65d80","a1":"0","a2":"270b","a3":"7ffc9aa65e40","ppid":"1","pid":"1655","audit_user":"unset","auid":"4294967295","user":"_chrony","uid":"123","group":"_chrony","gid":"132","effective_user":"_chrony","euid":"123","set_user":"_chrony","suid":"123","filesystem_user":"_chrony","fsuid":"123","effective_group":"_chrony","egid":"132","set_group":"_chrony","sgid":"132","filesystem_group":"_chrony","fsgid":"132","tty":"(none)","ses":"-1","comm":"chronyd","exe":"/usr/sbin/chronyd","key":"time-change","key_r":"\"time-change\"","proctitle":"/usr/sbin/chronyd"}]}])event",
R"event([1563470055.872,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.872","SerialNumber":7605215,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"ad1150","a1":"ad03d0","a2":"ad0230","a3":"fc2c9fc5","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"auoms","key_r":"\"auoms\"","cwd":"/var/lib/waagent","name":"/usr/sbin/iptables","inode":"1579593","dev":"08:02","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/sbin/iptables\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"5","cmdline":"iptables -w -t security --flush"}]}])event",
R"event([1563470055.876,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.876","SerialNumber":7605216,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"setsockopt","success":"yes","exit":"0","a0":"4","a1":"0","a2":"40","a3":"c31600","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"(null)","proctitle":"/bin/sh -c \"iptables -w -t security --flush\"","NETFILTER_CFG_table":"security","NETFILTER_CFG_family":"2","NETFILTER_CFG_entries":"4"}]}])event",
R"event([1572298453.69,{"MessageType":"AUOMS_EVENT","Timestamp":"1572298453.690","SerialNumber":5717,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"aarch64","syscall":"mmap","success":"yes","exit":"281129964019712","a0":"0","a1":"16a048","a2":"5","a3":"802","ppid":"1","pid":"1450","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"agetty","exe":"/usr/sbin/agetty","key":"(null)","INTEGRITY_POLICY_RULE_unparsed_text":"IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] ) [ action = allow ] [ boot_verified = true ]"}]}])event",
R"event([1563459621.014,{"MessageType":"AUOMS_EVENT","Timestamp":"1563459621.014","SerialNumber":574,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"adjtimex","success":"yes","exit":"0","a0":"7ffc9aa65d80","a1":"0","a2":"270b","a3":"7ffc9aa65e40","ppid":"1","pid":"1655","audit_user":"unset","auid":"4294967295","user":"_chrony","uid":"123","group":"_chrony","gid":"132","effective_user":"_chrony","euid":"123","set_user":"_chrony","suid":"123","filesystem_user":"_chrony","fsuid":"123","effective_group":"_chrony","egid":"132","set_group":"_chrony","sgid":"132","filesystem_group":"_chrony","fsgid":"132","tty":"(none)","ses":"-1","comm":"chronyd","exe":"/usr/sbin/chronyd","key":"time-change","key_r":"\"time-change\"","proctitle":"/usr/sbin/chronyd","containerid":""}]}])event",
R"event([1563470055.872,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.872","SerialNumber":7605215,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"ad1150","a1":"ad03d0","a2":"ad0230","a3":"fc2c9fc5","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"auoms","key_r":"\"auoms\"","cwd":"/var/lib/waagent","name":"/usr/sbin/iptables","inode":"1579593","dev":"08:02","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/sbin/iptables\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"5","cmdline":"iptables -w -t security --flush","containerid":""}]}])event",
R"event([1563470055.876,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.876","SerialNumber":7605216,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"setsockopt","success":"yes","exit":"0","a0":"4","a1":"0","a2":"40","a3":"c31600","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"(null)","proctitle":"/bin/sh -c \"iptables -w -t security --flush\"","NETFILTER_CFG_table":"security","NETFILTER_CFG_family":"2","NETFILTER_CFG_entries":"4","containerid":""}]}])event",
R"event([1572298453.69,{"MessageType":"AUOMS_EVENT","Timestamp":"1572298453.690","SerialNumber":5717,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"aarch64","syscall":"mmap","success":"yes","exit":"281129964019712","a0":"0","a1":"16a048","a2":"5","a3":"802","ppid":"1","pid":"1450","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"agetty","exe":"/usr/sbin/agetty","key":"(null)","INTEGRITY_POLICY_RULE_unparsed_text":"IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] ) [ action = allow ] [ boot_verified = true ]","containerid":""}]}])event",
};
const std::vector<const char*> fluent_test_events = {
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1521757638.392:262332","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_EXECVE","RecordTypeCode":"14688","SerialNumber":"262332","Timestamp":"2018-03-22T22:27:18.392Z","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","arch":"x86_64","argc":"6","audit_user":"root","auid":"0","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","comm":"logger","cwd":"/","dev":"00:13","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/bin/logger","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","inode":"312545","key":"auoms,execve","key_r":"61756F6D7301657865637665","mode":"file,755","name":"/usr/bin/logger","nametype":"NORMAL","o_user":"root","ogid":"0","ouid":"0","owner_group":"root","path_mode":"[\"0100755\",\"0100755\"]","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_ogid":"[\"0\",\"0\"]","path_ouid":"[\"0\",\"0\"]","pid":"26918","ppid":"26595","rdev":"00:00","ses":"842","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"execve","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1521757638.392:262333","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_EXECVE","RecordTypeCode":"14688","SerialNumber":"262333","Timestamp":"2018-03-22T22:27:18.392Z","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","arch":"x86_64","argc":"6","audit_user":"root","auid":"0","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","comm":"logger","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/bin/logger","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","key":"(null)","pid":"26918","ppid":"26595","ses":"842","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"execve","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1521757638.392:262334","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL_FRAGMENT","RecordTypeCode":"10002","SerialNumber":"262334","Timestamp":"2018-03-22T22:27:18.392Z","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","cwd":"/","dev":"00:13","inode":"312545","mode":"file,755","name":"/usr/bin/logger","nametype":"NORMAL","o_user":"root","ogid":"0","ouid":"0","owner_group":"root","path_mode":"[\"0100755\",\"0100755\"]","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_ogid":"[\"0\",\"0\"]","path_ouid":"[\"0\",\"0\"]","rdev":"00:00"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1521757638.392:262332","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_EXECVE","RecordTypeCode":"14688","SerialNumber":"262332","Timestamp":"2018-03-22T22:27:18.392Z","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","arch":"x86_64","argc":"6","audit_user":"root","auid":"0","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","comm":"logger","containerid":"","cwd":"/","dev":"00:13","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/bin/logger","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","inode":"312545","key":"auoms,execve","key_r":"61756F6D7301657865637665","mode":"file,755","name":"/usr/bin/logger","nametype":"NORMAL","o_user":"root","ogid":"0","ouid":"0","owner_group":"root","path_mode":"[\"0100755\",\"0100755\"]","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_ogid":"[\"0\",\"0\"]","path_ouid":"[\"0\",\"0\"]","pid":"26918","ppid":"26595","rdev":"00:00","ses":"842","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"execve","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1521757638.392:262333","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_EXECVE","RecordTypeCode":"14688","SerialNumber":"262333","Timestamp":"2018-03-22T22:27:18.392Z","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","arch":"x86_64","argc":"6","audit_user":"root","auid":"0","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","comm":"logger","containerid":"","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/bin/logger","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","key":"(null)","pid":"26918","ppid":"26595","ses":"842","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"execve","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1521757638.392:262334","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL_FRAGMENT","RecordTypeCode":"10002","SerialNumber":"262334","Timestamp":"2018-03-22T22:27:18.392Z","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":"","cwd":"/","dev":"00:13","inode":"312545","mode":"file,755","name":"/usr/bin/logger","nametype":"NORMAL","o_user":"root","ogid":"0","ouid":"0","owner_group":"root","path_mode":"[\"0100755\",\"0100755\"]","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_ogid":"[\"0\",\"0\"]","path_ouid":"[\"0\",\"0\"]","rdev":"00:00"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1562867403.686:4179743","Computer":"TestHostname","MessageType":"AUDIT_EVENT","ProcessFlags":"","RecordText":"type=USER_LOGIN msg=audit(1562867403.686:4179743): pid=26475 uid=0 auid=1000 ses=91158 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=131.107.147.6 addr=131.107.147.6 terminal=/dev/pts/0 res=success'","RecordType":"USER_LOGIN","RecordTypeCode":"1112","SerialNumber":"4179743","Timestamp":"2019-07-11T17:50:03.686Z","addr":"131.107.147.6","audit_user":"user","auid":"1000","exe":"/usr/sbin/sshd","hostname":"131.107.147.6","id":"user","id_r":"1000","op":"login","pid":"26475","res":"success","ses":"91158","terminal":"/dev/pts/0","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1563459621.014:574","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL","RecordTypeCode":"10001","SerialNumber":"574","Timestamp":"2019-07-18T14:20:21.014Z","a0":"7ffc9aa65d80","a1":"0","a2":"270b","a3":"7ffc9aa65e40","arch":"x86_64","audit_user":"unset","auid":"4294967295","comm":"chronyd","effective_group":"_chrony","effective_user":"_chrony","egid":"132","euid":"123","exe":"/usr/sbin/chronyd","exit":"0","filesystem_group":"_chrony","filesystem_user":"_chrony","fsgid":"132","fsuid":"123","gid":"132","group":"_chrony","key":"time-change","key_r":"\"time-change\"","pid":"1655","ppid":"1","proctitle":"/usr/sbin/chronyd","ses":"-1","set_group":"_chrony","set_user":"_chrony","sgid":"132","success":"yes","suid":"123","syscall":"adjtimex","tty":"(none)","uid":"123","user":"_chrony"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1563470055.872:7605215","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_EXECVE","RecordTypeCode":"14688","SerialNumber":"7605215","Timestamp":"2019-07-18T17:14:15.872Z","a0":"ad1150","a1":"ad03d0","a2":"ad0230","a3":"fc2c9fc5","arch":"x86_64","argc":"5","audit_user":"unset","auid":"4294967295","cmdline":"iptables -w -t security --flush","comm":"iptables","cwd":"/var/lib/waagent","dev":"08:02","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/sbin/xtables-multi","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","inode":"1579593","key":"auoms","key_r":"\"auoms\"","mode":"file,755","name":"/usr/sbin/iptables","nametype":"NORMAL","o_user":"root","ogid":"0","ouid":"0","owner_group":"root","path_mode":"[\"0100755\",\"0100755\"]","path_name":"[\"/usr/sbin/iptables\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_ogid":"[\"0\",\"0\"]","path_ouid":"[\"0\",\"0\"]","pid":"91098","ppid":"16244","rdev":"00:00","ses":"-1","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"execve","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1563470055.876:7605216","Computer":"TestHostname","MessageType":"AUOMS_EVENT","NETFILTER_CFG_entries":"4","NETFILTER_CFG_family":"2","NETFILTER_CFG_table":"security","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL","RecordTypeCode":"10001","SerialNumber":"7605216","Timestamp":"2019-07-18T17:14:15.876Z","a0":"4","a1":"0","a2":"40","a3":"c31600","arch":"x86_64","audit_user":"unset","auid":"4294967295","comm":"iptables","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/sbin/xtables-multi","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","key":"(null)","pid":"91098","ppid":"16244","proctitle":"/bin/sh -c \"iptables -w -t security --flush\"","ses":"-1","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"setsockopt","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1572298453.690:5717","Computer":"TestHostname","INTEGRITY_POLICY_RULE_unparsed_text":"IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] ) [ action = allow ] [ boot_verified = true ]","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL","RecordTypeCode":"10001","SerialNumber":"5717","Timestamp":"2019-10-28T21:34:13.690Z","a0":"0","a1":"16a048","a2":"5","a3":"802","arch":"aarch64","audit_user":"unset","auid":"4294967295","comm":"agetty","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/sbin/agetty","exit":"281129964019712","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","key":"(null)","pid":"1450","ppid":"1","ses":"-1","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"mmap","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1563459621.014:574","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL","RecordTypeCode":"10001","SerialNumber":"574","Timestamp":"2019-07-18T14:20:21.014Z","a0":"7ffc9aa65d80","a1":"0","a2":"270b","a3":"7ffc9aa65e40","arch":"x86_64","audit_user":"unset","auid":"4294967295","comm":"chronyd","containerid":"","effective_group":"_chrony","effective_user":"_chrony","egid":"132","euid":"123","exe":"/usr/sbin/chronyd","exit":"0","filesystem_group":"_chrony","filesystem_user":"_chrony","fsgid":"132","fsuid":"123","gid":"132","group":"_chrony","key":"time-change","key_r":"\"time-change\"","pid":"1655","ppid":"1","proctitle":"/usr/sbin/chronyd","ses":"-1","set_group":"_chrony","set_user":"_chrony","sgid":"132","success":"yes","suid":"123","syscall":"adjtimex","tty":"(none)","uid":"123","user":"_chrony"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1563470055.872:7605215","Computer":"TestHostname","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_EXECVE","RecordTypeCode":"14688","SerialNumber":"7605215","Timestamp":"2019-07-18T17:14:15.872Z","a0":"ad1150","a1":"ad03d0","a2":"ad0230","a3":"fc2c9fc5","arch":"x86_64","argc":"5","audit_user":"unset","auid":"4294967295","cmdline":"iptables -w -t security --flush","comm":"iptables","containerid":"","cwd":"/var/lib/waagent","dev":"08:02","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/sbin/xtables-multi","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","inode":"1579593","key":"auoms","key_r":"\"auoms\"","mode":"file,755","name":"/usr/sbin/iptables","nametype":"NORMAL","o_user":"root","ogid":"0","ouid":"0","owner_group":"root","path_mode":"[\"0100755\",\"0100755\"]","path_name":"[\"/usr/sbin/iptables\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_ogid":"[\"0\",\"0\"]","path_ouid":"[\"0\",\"0\"]","pid":"91098","ppid":"16244","rdev":"00:00","ses":"-1","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"execve","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1563470055.876:7605216","Computer":"TestHostname","MessageType":"AUOMS_EVENT","NETFILTER_CFG_entries":"4","NETFILTER_CFG_family":"2","NETFILTER_CFG_table":"security","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL","RecordTypeCode":"10001","SerialNumber":"7605216","Timestamp":"2019-07-18T17:14:15.876Z","a0":"4","a1":"0","a2":"40","a3":"c31600","arch":"x86_64","audit_user":"unset","auid":"4294967295","comm":"iptables","containerid":"","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/sbin/xtables-multi","exit":"0","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","key":"(null)","pid":"91098","ppid":"16244","proctitle":"/bin/sh -c \"iptables -w -t security --flush\"","ses":"-1","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"setsockopt","tty":"(none)","uid":"0","user":"root"}]])event",
R"event(["LINUX_AUDITD_BLOB",["TIMESTAMP",{"AuditID":"1572298453.690:5717","Computer":"TestHostname","INTEGRITY_POLICY_RULE_unparsed_text":"IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] ) [ action = allow ] [ boot_verified = true ]","MessageType":"AUOMS_EVENT","ProcessFlags":"","RecordText":"","RecordType":"AUOMS_SYSCALL","RecordTypeCode":"10001","SerialNumber":"5717","Timestamp":"2019-10-28T21:34:13.690Z","a0":"0","a1":"16a048","a2":"5","a3":"802","arch":"aarch64","audit_user":"unset","auid":"4294967295","comm":"agetty","containerid":"","effective_group":"root","effective_user":"root","egid":"0","euid":"0","exe":"/usr/sbin/agetty","exit":"281129964019712","filesystem_group":"root","filesystem_user":"root","fsgid":"0","fsuid":"0","gid":"0","group":"root","key":"(null)","pid":"1450","ppid":"1","ses":"-1","set_group":"root","set_user":"root","sgid":"0","success":"yes","suid":"0","syscall":"mmap","tty":"(none)","uid":"0","user":"root"}]])event",
};
const std::unordered_map<std::string, std::string> TestConfigFieldNameOverrideMap = {

1
TestEventData.h
Просмотреть файл

@ -95,6 +95,7 @@ extern const std::string passwd_file_text;
extern const std::string group_file_text;
extern std::vector<const char*> raw_test_events;
extern const std::vector<bool> raw_events_do_flush;
extern const std::vector<TestEvent> test_events;
extern const std::vector<const char*> oms_test_events;
extern const std::vector<const char*> fluent_test_events;

4
auoms.version
Просмотреть файл

@ -7,7 +7,7 @@
AUOMS_BUILDVERSION_MAJOR=2
AUOMS_BUILDVERSION_MINOR=2
AUOMS_BUILDVERSION_PATCH=3
AUOMS_BUILDVERSION_PATCH=4
AUOMS_BUILDVERSION_BUILDNR=0
AUOMS_BUILDVERSION_DATE=20200617
AUOMS_BUILDVERSION_DATE=20200624
AUOMS_BUILDVERSION_STATUS=Developer_Build