Skip to content

Commit

Permalink
Add support for translating numeric/binary values
Browse files Browse the repository at this point in the history 
- SYSCALL: arch, syscall
- everywhere except EXECVE, PROCTITLE: *uid, *gid
  - *uid, *gid fields get special treatment in the parsing stage
    because they occur so frequently.
- SOCKADDR: saddr

A Key variant for translated values that are serialized in UPPERCASE
is added.

The result is mostly comparable to auditd does when configured with
log_format=ENRICHED.
  • Loading branch information
@hillu
hillu committed Dec 19, 2021
1 parent 1389897 commit 9a5951c
Show file tree
Hide file tree
Showing 6 changed files with 343 additions and 71 deletions.
10 changes: 10 additions & 0 deletions etc/laurel/config.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,16 @@ execve-argv = [ "array" ]

# execve-argv = [ "array", "string" ]

[translate]

# Perform translations of numeric values that can also be done by
# auditd if configured with log_format=ENRICHED.

# arch, syscall, sockaddr structures
universal = false
# UID, GID values
user-db = false

[enrich]

# List of environment variables to log for every EXECVE event
Expand Down
Loading

0 comments on commit 9a5951c

Please sign in to comment.