257 строки
7.4 KiB
Plaintext
257 строки
7.4 KiB
Plaintext
# Output format.
|
|
# Value values are: oms, json, msgpack, fluent, raw
|
|
#
|
|
output_format = oms
|
|
#output_format = json
|
|
#output_format = syslog
|
|
|
|
# The path to the output socket
|
|
#
|
|
output_socket = /home/kesheldr/bld-omsagent4/auoms/data/out.socket
|
|
|
|
# Enable ack mode.
|
|
# When true auome will expect events to be acked.
|
|
# On connection loss or restart, un-acked events will be re-transmitted.
|
|
#
|
|
#enable_ack_mode = false
|
|
|
|
# Ack queue size.
|
|
# The number of un-acked events that sent before waiting for acks.
|
|
#
|
|
#ack_queue_size = 1000
|
|
|
|
#
|
|
# All parameters below are only valid for the oms output format.
|
|
#
|
|
|
|
# If true, the raw record text is included in the message. The field name
|
|
# is controled by the 'RawTextFieldName parameter.
|
|
#
|
|
#include_full_raw_text = true
|
|
|
|
# The name of the field that will contain the raw event record text.
|
|
#
|
|
#raw_text_field_name = raw
|
|
|
|
# The name to be used for the event timestamp field.
|
|
#
|
|
#timestamp_field_name = Timestamp
|
|
|
|
# The name to be used for the event serial field.
|
|
#
|
|
#serial_field_name = SerialNumber
|
|
|
|
#records_field_name = records
|
|
#record_type_field_name = RecordTypeCode
|
|
#record_type_name_field_name = RecordType
|
|
#field_suffix = -r
|
|
|
|
# Override the record_type code to record_type name translation provided by libaudit
|
|
# for a specific set of record_type_codes. This can be helpfull in cases where the
|
|
# kernel is generating audit records not yet recognized by libaudit.
|
|
#
|
|
# This property expects a valid JSON object/map. The value starts with '{'
|
|
# and ends with '}' and may span multiple lines.
|
|
#
|
|
# For example:
|
|
# The Ubuntu 14.04 kernel generates PROCTITLE (code 1327) records but libaudit doesn't recognize
|
|
# that code. So, a property value of '{ "1327": "PROCTITLE" }' would ensure
|
|
# that on output, the record_type name would be PROCTITLE instead of UNKNOWN[1327]
|
|
#
|
|
record_type_name_overrides = {
|
|
"1327": "PROCTITLE"
|
|
}
|
|
|
|
# Override field names. When field_emit_mode is RAW or BOTH, this override is applied to
|
|
# the field name of the raw value. When field_emit_mode is BOTH, this override takes precedence
|
|
# if field_name_dedup_suffix_raw_field=true. Instead of appending field_suffix, the override
|
|
# name will be used.
|
|
#
|
|
# This property expects a valid JSON object/map. The value starts with '{'
|
|
# and ends with '}' and may span multiple lines.
|
|
#
|
|
# For example, if one wants to have 'uid' output as 'user_id', one could use a
|
|
# property value of '{ "uid": "user_id" }'
|
|
#
|
|
#field_name_overrides = {}
|
|
|
|
# Override field names. When field_emit_mode is INTERP or BOTH, this override is applied to
|
|
# to the interpreted value. When field_emit_mode is BOTH, this override takes precedence
|
|
# if field_name_dedup_suffix_raw_field=false. Instead of appending field_suffix, the override
|
|
# name will be used.
|
|
#
|
|
# This property expects a valid JSON object/map. The value starts with '{'
|
|
# and ends with '}' and may span multiple lines.
|
|
#
|
|
# For example, if one wants to have interpreted 'uid' output as 'user_name',
|
|
# one could use a property value of '{ "uid": "user_name" }'
|
|
#
|
|
interpreted_field_names = {
|
|
"uid": "user",
|
|
"auid": "audit_user",
|
|
"euid": "effective_user",
|
|
"suid": "set_user",
|
|
"fsuid": "filesystem_user",
|
|
"inode_uid": "inode_user",
|
|
"oauid": "o_audit_user",
|
|
"ouid": "o_user",
|
|
"obj_uid": "obj_user",
|
|
"sauid": "sender_audit_user",
|
|
"gid": "group",
|
|
"egid": "effective_group",
|
|
"fsgid": "filesystem_group",
|
|
"inode_gid": "inode_group",
|
|
"new_gid": "new_group",
|
|
"obj_gid": "obj_group",
|
|
"ogid": "owner_group",
|
|
"sgid": "set_group"
|
|
}
|
|
|
|
# Filter records based on event flags.
|
|
#
|
|
# If the event was flagged based on process_flags and the any of the flag bits
|
|
# are present in this mask, then the event will be filtered.
|
|
#
|
|
#filter_flags_mask = 4
|
|
|
|
# Filter record types. Listed record types will be filtered from output messages.
|
|
#
|
|
# This property expects a valid JSON array. The value starts with '[' and ends with ']'
|
|
# and may span multiple lines.
|
|
#
|
|
filter_record_types = [
|
|
"BPRM_FCAPS",
|
|
"CRED_ACQ",
|
|
"CRED_DISP",
|
|
"CRED_REFR",
|
|
"CRYPTO_KEY_USER",
|
|
"CRYPTO_SESSION",
|
|
"LOGIN",
|
|
"PROCTITLE",
|
|
"USER_ACCT",
|
|
"USER_CMD",
|
|
"USER_END",
|
|
"USER_LOGOUT",
|
|
"USER_START"
|
|
]
|
|
|
|
# Filter field names. Listed fields will be filtered from output messages.
|
|
#
|
|
# This property expects a valid JSON array. The value starts with '[' and ends with ']'
|
|
# and may span multiple lines.
|
|
#
|
|
filter_field_names = [
|
|
"arch_r",
|
|
"ses_r",
|
|
"mode_r"
|
|
]
|
|
|
|
# process filters. Processes that match will filter all or nominated syscalls from output.
|
|
# depth = 0 for does not propagate, positive integer for number of child depth level to propagate to, -1 for infinite.
|
|
# If a process matches a filter, then it ignores any propagated filters from parents.
|
|
# user and group can be name or id.
|
|
# syscalls is list of syscalls by name (x64).
|
|
# exeMatchType can be one of {"MatchEquals", "MatchStartsWith", "MatchContains", "MatchRegex"}.
|
|
# exeMatchValue matches executable filename.
|
|
# cmdlineFilters is a list of combined filters matching on the command line.
|
|
|
|
process_filters = [
|
|
{
|
|
"depth": -1,
|
|
"user": "omsagent",
|
|
"exeMatchType": "MatchEquals",
|
|
"exeMatchValue": "/opt/microsoft/omsagent/ruby/bin/ruby",
|
|
"cmdlineFilters": [
|
|
{
|
|
"matchType": "MatchStartsWith",
|
|
"matchValue": "/opt/microsoft/omsagent/ruby/bin/ruby /opt/microsoft/omsagent/bin/omsagent"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"depth": -1,
|
|
"user": "omsagent",
|
|
"cmdlineFilters": [
|
|
{
|
|
"matchType": "MatchStartsWith",
|
|
"matchValue": "/bin/sh -c \"/opt/omi/bin/OMSConsistencyInvoker"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"depth": -1,
|
|
"user": "root",
|
|
"exeMatchType": "MatchEquals",
|
|
"exeMatchValue": "/opt/omi/bin/omiserver"
|
|
},
|
|
{
|
|
"depth": -1,
|
|
"user": "root",
|
|
"cmdlineFilters": [
|
|
{
|
|
"matchType": "MatchStartsWith",
|
|
"matchValue": "/usr/bin/python"
|
|
},
|
|
{
|
|
"matchType": "MatchContains",
|
|
"matchValue": " -u /usr/sbin/waagent -daemon"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"depth": -1,
|
|
"user": "root",
|
|
"exeMatchType": "MatchEquals",
|
|
"exeMatchValue": "/usr/bin/dpkg",
|
|
"syscalls": ["openat", "connect", "unlink", "fchown"]
|
|
},
|
|
{
|
|
"depth": -1,
|
|
"user": "root",
|
|
"exeMatchType": "MatchEquals",
|
|
"exeMatchValue": "/bin/rpm",
|
|
"syscalls": ["connect", "openat", "unlink", "fchown"]
|
|
},
|
|
{
|
|
"depth": 0,
|
|
"user": "root",
|
|
"cmdlineFilters": [
|
|
{
|
|
"matchType": "MatchStartsWith",
|
|
"matchValue": "/bin/sh -c"
|
|
},
|
|
{
|
|
"matchType": "MatchContains",
|
|
"matchValue": "[ -f /etc/krb5.keytab ]"
|
|
},
|
|
{
|
|
"matchType": "MatchContains",
|
|
"matchValue": "! -f /etc/opt/omi/creds/omi.keytab"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"depth": -1,
|
|
"user": "root",
|
|
"cmdlineFilters": [
|
|
{
|
|
"matchType": "MatchStartsWith",
|
|
"matchValue": "/bin/sh -c \"/usr/sbin/logrotate /etc/logrotate.d/omsagent*"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"depth": 0,
|
|
"exeMatchType": "MatchEquals",
|
|
"exeMatchValue": "/lib/systemd/systemd-resolved",
|
|
"syscalls": ["connect"]
|
|
},
|
|
{
|
|
"depth": 0,
|
|
"exeMatchType": "MatchEquals",
|
|
"exeMatchValue": "/usr/sbin/nscd",
|
|
"syscalls": ["connect"]
|
|
}
|
|
]
|
|
|