What Exactly Do These "Kernel Audit" Entries in Logwatch Report Mean?

Question

I am using Debian with Logwatch installed. I would receive some strange log records on a regular basis. I searched multiple times regarding the actual meaning of the following entries but still, I have no idea what they mean:

--------------------- Kernel Audit Begin ------------------------ 

**Unmatched Entries** (Only first 100 out of 142 are printed)

audit: type=1702 audit(1501125815.715:26): op=linkat ppid=24321 pid=24322 auid=1004 uid=1004 gid=1005 euid=1004 suid=1004 fsuid=1004 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4404 comm="sshd" exe="/usr/sbin/sshd" res=0

audit: type=1302 audit(1501125815.715:27): item=0 name=2F4C502F5573696E672F5A4849204855412F566572696669636174696F6E204E6F7465732F5A484920485541202D2056204E6F74657320283230313730373235292E646F6378 inode=121766761 dev=00:27 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL

audit: type=1702 audit(1501125815.763:28): op=linkat ppid=24321 pid=24322 auid=1004 uid=1004 gid=1005 euid=1004 suid=1004 fsuid=1004 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4404 comm="sshd" exe="/usr/sbin/sshd" res=0

audit: type=1302 audit(1501125815.763:29): item=0 name=2F4C502F5573696E672F5A4849204855412F566572696669636174696F6E204E6F7465732F5A484920485541202D2056204E6F74657320283230313730373235292E646F6378 inode=121766761 dev=00:27 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL

audit: type=1702 audit(1501130582.080:30): op=linkat ppid=25621 pid=25622 auid=1004 uid=1004 gid=1005 euid=1004 suid=1004 fsuid=1004 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4521 comm="sshd" exe="/usr/sbin/sshd" res=0

audit: type=1702 audit(1500282812.404:2): op=linkat ppid=16258 pid=16259 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1203 comm="sshd" exe="/usr/sbin/sshd" res=0

audit: type=1302 audit(1500282812.404:3): item=0 name="/storage/D/MyDocs/Database.sqlite" inode=117178444 dev=00:27 mode=0100644 ouid=1004 ogid=1005 rdev=00:00 nametype=NORMAL

...

---------------------- Kernel Audit End ------------------------- 

I want to ask:

1. What actually do they mean?
2. How to check the definition of "type"? (such as type=1702 and type=1302)?

Thanks!~

Answer 1

This is part of the linux audit framework. See here https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h For example, 1702 and 1302 means:

1702 /* Suspicious use of file links */ 1302 /* Filename path information */

For the Unmatched Entries you need to look at your specific settings in logwatch.conf and audit.conf

For example, let's look at what this one means.

audit: type=1702 audit(1501125815.715:26): op=linkat ppid=24321 pid=24322 auid=1004 uid=1004 gid=1005 euid=1004 suid=1004 fsuid=1004 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4404 comm="sshd" exe="/usr/sbin/sshd" res=0

This is "Suspicious use of file links" for user id 1004. So you need to check which user is that. It is referring to the "linkat" operation which is a linux system function and this was invoked by sshd. The audit flagged this as suspicious (note that it didn't deny or block). So something in your system is running the sys call linkat (which basically creates a new file name but I am not that familiar with this call).

Answer 2

Type these commands one by one in the terminal:

ausearch -x sudo -ua 1001
ausearch -x sudo -ua 1004

And paste the result in pastebin website and provide URL. This will help to perform errors analysis.

It will search processes with uid 1001 and 1004