This article is devoted to the integration of two well-known and proven open source tools for security monitoring: change audit software for Linux (auditd) and Host IDS OSSEC. The aim of this article is to learn the limitations and use the advantages of both of these tools so that by acting in tandem they can detect suspicious behavior at the level of system calls (syscalls).
After reading part I, you will know how to:
- run a Linux audit
- write audit rules for system calls and files/directories
- log on to the remote server all commands related to running programs on Linux
- use the search and event analysis tools: ausearch and aureport
In Part II, we will focus on the advanced configuration of OSSEC (writing set-top boxes, writing rules and the Active Response module) and using information from auditd by this HIDS system.
Using comparisons with military tactics, auditd+OSSEC will carry out the tasks of a sniper pair with us, where the auditor will be an auditor and the fire task will be carried out by OSSEC using the Active Response module. So we start training and hunting for intruders.
Why monitor system calls?
System calls (syscalls) are requests directed to the kernel of the operating system that result in the execution of privileged procedures. The basic syscall systems are:
- open() – reading data
- write() – data entry
- open() – opening the file
- fork() – create a new process
- exec() – running the program
- and many more
As we can see, monitoring system calls related to running new programs, and reading and saving files can provide defenders with information about intruders’ actions in attacked systems; e.g., using a 0-day vulnerability. Despite the fact that the burglary took place, we as a defender are not yet in a lost position, provided that we have implemented an appropriate monitoring system and procedures that will allow us to detect and stop the ongoing attack. The attacker after the successful break-in will most often try to increase their powers, recognize the attacked system from the inside, steal data, and run malicious software. Such activities in most cases leave traces, and the essence of the actions of security teams is to pick up these traces and take the lead.
To monitor the above-mentioned activities, I will propose an auditd; i.e., software that at the Linux kernel level is able to perform system audits including system calls.
Observer: auditd
The auditd installation can be done using the package manager:
Debian,Ubuntu
|
1 |
#apt-get install auditd audispd-plugins |
Fedora, CentOS, RHEL (usually auditd should be installed)
|
1 |
#yum install audit |
The auditd package contains a number of binaries that are used to manage the auditd daemon and search and analyze the recorded events:
- auditctl: a tool for the current configuration of the auditd daemon, checking the status and running rules
- audispd: daemon is the multiplication of logged events to other log aggregation programs
- aureport: a tool for quick reports generated on the basis of a log (auditd.log)
- ausearch: tool to search events from the log (auditd.log)
- autrace: a tool for analyzing the interaction of programs with the kernel
- aulast: tool with the last command functionality but using log auditd.log
- aulastlog: tool with the functionality of the lastlog command but using log auditd.log
- ausyscall: mapping the system call ID to the name
- auvirt: auditing information on virtual machines
Launching an audit at every system startup (Fedora, CentOS, RHEL):
|
1 |
#chkconfig auditd on |
We introduce the observer to the game:
|
1 |
#service auditd start |
and we check the status of the service:
|
1 2 |
#auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=10134 rate_limit=0 backlog_limit=320 lost=23 backlog=0 |
AAt the beginning, the auditd does not contain any rules, which can be checked each time by using the -l switch:
|
1 2 |
#auditctl -l No rules |
It’s time to put tasks to our observer; that is, we write rules. The rules can be added to the audit.rules file (most often in the /etc/audit location) or using the auditctl tool with the -k switch.
Below I have placed a few rules that will allow, among other things, to monitor all commands executed in the operating system and set a trap for intruders who would not only like to modify system files but “only” read them. We can also be more granular and enable or disable monitoring rules for users with specific UID, programs, files, directories, and System call ID.
| -a always,exit -F arch=b32 -S execve -k execv | logging of program start calls (32-bit architecture) |
| -a always,exit -F arch=b64 -S execve -k execv | logging of program start calls (64-bit architecture), it is recommended to use both rules |
| -w /etc/passwd -p war -k watch_passwd | logging of reading (r), writing (in), attribute changes (a) of file /etc/passwd |
| -w /etc/shadow -p war -k watch_shadow | logging of reading (r), writing (in), attribute changes (a) of file /etc/shadow |
| -a never,exit -F path=/bin/grep | disable certain instances from logging in (note: the rule must be placed at the top of the file) |
| a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -k delete | logging of selective calls related to the deletion of files by users whose UID is greater than 500 |
| -w /etc -p wa -k watch_etc | llogging of write and attribute changes in the /etc directory |
Examples of interesting, detailed rules for auditd can be found on the github site:
- alienone user rules
- auditd rules to comply with PCI-DSS (Payment Card Industry Data Security Standard) requirements
- auditd rules to comply with NISPOM-DSS (National Industrial Security Program)
- auditd rules for compliance with the requirements of the LSPP-DSS (Labeled Security Protection Profile Data Security Standard)
- auditd rules to comply with the NIST and DISA STIG requirements for RedHat
In this article, we will focus on a full review of the situation, because we do not want any suspicious behavior to escape us. Therefore, we will use the first two rules to keep track of what is happening in the monitored system:
|
1 2 3 4 5 |
auditctl -l LIST_RULES: exit,always arch=1073741827 (0x40000003) key=execve syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=execve syscall=execve LIST_RULES: exit,always watch=/etc/passwd perm=rwa key=watch_passwd LIST_RULES: exit,always watch=/etc/shadow perm=rwa key=watch_shadow |
In this way, we have configured a comprehensive observer who will follow all activity in the system and will additionally be focused on any access to critical files (here the flagship duo—passwd and shadow). It seems that auditd is an ideal tool and will not miss it, and although in most cases this is true, we must be aware of its limitations. For example, running this tool in a system previously infected with a well-prepared rootkit operating at the kernel level of the system may cause malicious activity to be hidden in whole or in part. An example of an attack on software that intercepts system calls can be found in the article Exploiting Concurrency Vulnerabilities in System Call Wrappers. At the beginning, the auditd may also overwhelm the enormity of information that it registers in its log, and the overload of information may sometimes be worse than its absence. Everything is a matter of subjugating auditd and its proper use.
However, before we move on to the integration of HIDS OSSEC, several examples of using auditd solo, which will help reduce the revulsion of the single-event multi-line audit logs.
Auditd example 1: search auditd.log
The event analyzed is a hacking to the server using an unprivileged user account. The intruder tried to copy the shadow file, so he had to be noticed by auditd:
|
1 |
$ cp /etc/shadow /tmp/shadow |
The log contains the following entry regarding this event, which the auditd assigned to the number 182858:
|
1 2 3 4 5 6 |
---- time->Wed Jul 8 23:41:06 2015 type=UNKNOWN[1327] msg=audit(1436391666.853:182858): proctitle=6370002F6574632F736861646F77002F746D702F736861646F77 type=PATH msg=audit(1436391666.853:182858): item=0 name="/etc/shadow" inode=3017833 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1436391666.853:182858): cwd="/home/bartek" type=SYSCALL msg=audit(1436391666.853:182858): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9d4e293a a1=0 a2=0 a3=0 items=1 ppid=26215 pid=26768 auid=1005 uid=1005 gid=1003 euid=1005 suid=1005 fsuid=1005 egid=1003 sgid=1003 fsgid=1003 tty=pts4 ses=284 comm="cp" exe="/bin/cp" key="watch_shadow" |
The PATH line describes the file descriptor to which the event applies.
The CWD (current working directory) line indicates which location the command was issued from.
The SYSCALL line describes the details of the system call:
- system call number (syscall = 2 – open())
- the result of the operation completed in this case failure (success=noexit=-13)
- process number and process number of the parent (ppid=26215 pid=26768)
- terminal number (tty=pts4)
- system command and bin location (comm=”cp” exe=”/bin/cp”)
- information about the user (auid=1005 uid=1005 gid=1003 euid= 1005 suid=1005 fsuid=1005 egid=1003 sgid=1003 fsgid=1003)
Execution of the same command but with elevated privileges using the sudo functionality:
|
1 |
#sudo cp /etc/shadow /tmp/shadow |
gives the following result in the audt.log log:
|
1 2 3 4 |
type=UNKNOWN[1327] msg=audit(1436396977.941:190894): proctitle=7375646F006370002F6574632F736861646F77002F746D702F736861646F77 type=PATH msg=audit(1436396977.941:190894): item=0 name="/etc/shadow" inode=3018009 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1436396977.941:190894): cwd="/home/bartek" type=SYSCALL msg=audit(1436396977.941:190894): arch=c000003e syscall=2 success=yes exit=6 a0=7faea7815bdc a1=80000 a2=1b6 a3=0 items=1 ppid=474 pid=2566 auid=1005 uid=1005 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003 tty=pts4 ses=298 comm="sudo" exe="/usr/bin/sudo" key="watch_shadow" |
It is worth noting that this time the reading of the file was successful (success=yes), and the operation was carried out with elevated privileges as indicated by the euid field (effective uid), which now has the value 0 (the root UID). The comm field contains information about the sudo program, but we have no information about the arguments of this command. To this end, we will use that the auditd monitors all running commands along with the arguments by using a rule called execve and we will look up all the events related to the sudo command and the execve monitoring rule:
|
1 |
ausearch -x sudo -k execve |
Resulting in such an event:
|
1 2 3 4 5 6 7 |
type=UNKNOWN[1327] msg=audit(1436396973.213:190881): proctitle=7375646F006370002F6574632F736861646F77002F746D702F736861646F77 type=PATH msg=audit(1436396973.213:190881): item=1 name=(null) inode=13895173 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1436396973.213:190881): item=0 name="/usr/bin/sudo" inode=14027293 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1436396973.213:190881): cwd="/home/bartek" type=EXECVE msg=audit(1436396973.213:190881): argc=4 a0="sudo" a1="cp" a2="/etc/shadow" a3="/tmp/shadow" type=BPRM_FCAPS msg=audit(1436396973.213:190881): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000003fffffffff new_pi=0000000000000000 new_pe=0000003fffffffff type=SYSCALL msg=audit(1436396973.213:190881): arch=c000003e syscall=59 success=yes exit=0 a0=ebb928 a1=b98588 a2=cf3008 a3=8 items=2 ppid=474 pid=2566 auid=1005 uid=1005 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 |
The EXECVE line containing all the arguments of the command is of particular interest. Thus, we can see that by properly formatting the EXECVE line from the audit.log log, we can receive current information about which commands and programs are run in the monitored system (Example No. 5).
Auditd Example 2: Analysis of the Source of Malware
After detecting suspicious activity on the host, auditd is able to help us determine the source of the malware. For this purpose, we use the ppid (parent process id) field and check how the file copy command was run.
|
1 2 3 4 5 6 7 |
#ausearch -p 474 type=UNKNOWN[1327] msg=audit(1436352887.672:155389): proctitle=7368002D63006E657473746174202D74616E207C67726570204C495354454E207C67726570202D76203132372E302E302E31207C20736F7274 type=PATH msg=audit(1436352887.672:155389): item=1 name=(null) inode=13895173 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1436352887.672:155389): item=0 name="/bin/sh" inode=4194326 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=CWD msg=audit(1436352887.672:155389): cwd="/" type=EXECVE msg=audit(1436352887.672:155389): argc=3 a0="sh" a1="-c" a2=6E657473746174202D74616E207C67726570204C495354454E207C67726570202D76203132372E302E302E31207C20736F7274 type=SYSCALL msg=audit(1436352887.672:155389): arch=c000003e syscall=59 success=yes exit=0 a0=7fb99ca62c23 a1=7fff2d71ea20 a2=7fff2d7243d8 a3=7fb99d0a29d0 items=2 ppid=2748 pid=474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/dash" key="execve" |
The SYSCALL line contains information that the parent process is a dash system shell, otherwise it could be a script or binaries. However, in each of these cases we can determine where the source of suspicious behavior is to ultimately verify whether the source is malware, hacking or authorized administrators. Often you have to check several offspring processes to finally reach the infected library.
If we analyze the following processes step by step, we come to a situation where their source is, e.g., some of the system binaries. For example less, the auditd package contains an autrace tool, which has functionality similar to strace. Using autrace, we can analyze the references to files and libraries used by a given binaries, which can also bring us closer to the source of malware.
|
1 2 3 4 5 6 |
# autrace /usr/bin/less Waiting to execute: /usr/bin/less Missing filename ("less --help" for help) Cleaning up... Error deleting rule (No such process) Trace complete. You can locate the records with 'ausearch -i -p 8312' |
We get a hint to use the ausearch -i -p 8312 command. In this example with the malware search, I suggest to use some:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# ausearch -r -p 8312 |aureport --file --summary File Summary Report =========================== total file =========================== 3 /etc/ld.so.nohwcap 2 /lib/terminfo/x/xterm 1 /usr/bin/.sysless 1 /etc/sysless 1 /root/.less ... 1 /usr/share/terminfo 1 /root/.terminfo 1 /lib/x86_64-linux-gnu/libc.so.6 1 /lib/x86_64-linux-gnu/libtinfo.so.5 |
Note: the autrace command precedes clearing the rules using auditctl -D.
Auditd example 3: advanced search (ausearch) and report creation (aureport)
Here are some useful switches to search the audit.log log:
|
1 |
ausearch -ts today -x rm |
searches for an event from the current day related to deleting files using the rm command. Other interesting time periods that we can specify using the -ts to now, recent switch (last 10 minutes), today, yesterday, this-week, this-month, this -year.
|
1 |
ausearch -ts recent -ui 1001 |
Searches for user activity with UID 1001.
|
1 |
ausearch -i |
The -i switch converts numerical values to names such as UID’s for user names.
|
1 |
ausearch -k watch_passwd |
The -k switch allows you to search for events for which we have prepared rules in the audit.rules file.
In the ausearch manual, we will find further examples of switches that we can use to query the auditd about what we observed.
In addition to precise responses in the form of extracting information from the log using ausearch, the auditd package also contains aureport binary, which is used to create reports and summarize system audits in a wider time-contact.
Using aureport we can generate a report about all subsequent launches of executable programs between 12.00 and 13.00:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# aureport -ts 12:00:00 -te 13:00:00 -i -x Executable Report ==================================== # date time exe term host auid event ==================================== ... 4783. 09.07.2015 12:59:59 /bin/grep (none) ? unset 246363 4784. 09.07.2015 12:59:59 /bin/netstat (none) ? unset 246364 4785. 09.07.2015 12:59:59 /usr/bin/sort (none) ? unset 246365 4786. 09.07.2015 12:59:59 /bin/grep (none) ? unset 246366 4787. 09.07.2015 12:59:59 /bin/dash (none) ? unset 246362 |
Here is a report on all programs performed on the current day with a summary of the number of calls to these programs:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# aureport -ts today -i -x --summary Executable Summary Report ================================= total file ================================= 36053 /bin/dash 33650 /usr/bin/sort 26699 /bin/grep 13339 /bin/netstat 1617 /usr/bin/dpkg 1346 /usr/lib/policykit-1/polkitd 1033 /bin/ps 451 /usr/sbin/cron 367 /usr/bin/last 367 /bin/df 317 /var/ossec/bin/ossec-syscheckd ... |
Report on failed logins using the -au switch :
|
1 2 3 4 5 6 |
#aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ |
The summary about account modifications can be obtained using the -m switch:
|
1 2 3 4 5 6 |
aureport -m Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= |
A useful option is also to generate an anomaly report using the -n switch.
Interestingly, both ausearch and aureport commands can be connected together:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# ausearch -ts yesterday -f /etc/shadow |aureport -x --summary Executable Summary Report ================================= total file ================================= 171 /var/ossec/bin/ossec-syscheckd 113 /usr/sbin/cron 45 /usr/lib/gnome-screensaver/gnome-screensaver-dialog 19 /bin/su 6 /usr/sbin/usermod 6 /bin/cp 6 /bin/ls 5 /usr/bin/passwd 4 /usr/bin/sudo 2 /usr/bin/cmp 1 /usr/lib/accountsservice/accounts-daemon |
With the help of the above command, we have summarized all the programs that got access to the /etc/shadow file on a given day, and the disturbing copy command (/bin/cp) of this file was executed six times.
Auditd example 4: central login
A good practice of monitoring is to use a central log-in, and although it seems obvious, the realities leave much to be desired. Auditd contains the audispd plugin, which makes the configuration of sending the audit log to the remote login system quite simple. In this example, we’ll start with the rsyslog server configuration:
/etc/rsyslog.conf file on server:
|
1 2 3 4 5 6 7 |
# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 2514 $AllowedSender TCP,127.0.0.1,192.168.56.102 $template HostAudit,"/var/log/rsyslog/%HOSTNAME%/audit.log" $template auditFormat,"%msg%\n" local6.* ?HostAudit;auditFormat |
The syslog server will listen on port 2514 TCP, and log audit.log will be placed in /var/log/rsyslog/%HOSTNAME% with the auditd format, which means that you can use tools such as ausearch or aureport by specifying the file location using the -if switch, e.g.
|
1 |
# ausearch -f /etc/passwd -if /var/log/rsyslog/ubuntu/audit.log |
file /etc/rsyslog.conf at the client:
|
1 2 3 4 5 6 7 8 9 |
$ModLoad imfile # provides kernel logging support # umieścić na dole pliku $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor local6.* @@192.168.56.1:2514 |
When configuring syslog, you need to be particularly careful in the configuration files for separating selectors and actions using tabs rather than spaces:
In the configuration of the audispd plugin at the client in the file /etc/audisp/plugins.d/syslog.conf enable the option to send events to the syslog:
|
1 2 3 4 5 6 |
active = yes direction = out path = builtin_syslog type = builtin args = LOG_INFO format = string |
Client-server communication containing such sensitive data as the system audit log must be encrypted, and on the official rsyslog.com site you can find the TLS configuration tutorial for rsyslog.
Auditd example 5: view all commands in real time (script in Python formatting audit.log)
Although the first examples should make log audit.log no longer cause a headache, and tools such as ausearch and aureport improve the search and analysis of it, but it is worth having your own tools that allow you to extract the essence from the log, in our case – all commands that run real-time executable programs. For this purpose, you can use a short script in Python, which will format log audit.log for our needs.
tailAuditLog.py
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
from sh import tail import re def callback(m): try: m = m.group(0) m=m[1:] return '='+m.decode('hex') except : return '='+m # runs forever for line in tail("-f", "/var/log/audit/audit.log", _iter=True): if "type=EXECVE" not in line: continue _,msg = line.strip().split('msg=') aid,exe = msg.split(": ",1) time,id = aid.split(":",1) id = re.sub(r'\)', '',id) exe = exe.split(" ",1)[1] exe = re.sub(r'=[0-9A-F]{5,}',callback,exe) exe = re.sub(r'a[0-9]=', '',exe) exe = re.sub(r'"', '',exe) print(id+" "+exe) |
The logging of all commands at the level of system calls is best checked by opening two terminal windows in parallel:
- In the first run the script with the command: python /root/tailAuditLog.py
- In the second window, we issue any shell commands, run programs, etc.
The result of the script operation are the next registered EXECVE system calls, where the event ID was placed in the first column, which can be used for detailed analysis of auditd package tools.
If we configured the central login described in the example number 4, the script is best run on the server by changing the location of the auditd.log file in the script.
Summary
In the first part of the article we got to know the first player – auditd, whose task is to observe system calls that take place in the monitored system. It is worth getting to know this audit tool due to the wide range of logging options for events related to both system calls and file descriptors. What’s more, the flexibility of building rules allows to meet the requirements set by many standards regulating the details of the audit (NIST, PCI_DSS, etc.). I hope that the examples of using ausearch and aureport tools have made it easier to get used to the large amount of information provided by auditd. Auditd sees a lot and registers a lot, but does not contain an alerting module and does not block unwanted activity.
In the second part of the article I will present the necessary OSSEC HIDS configuration for cooperation with auditd. In other words, the topic will concern writing your own decoders, writing OSSEC rules and using the Active Response module, thanks to which OSSEC is not just an intrusion detection system, but also for precise blocking of intruders. Through the use of these tools, we increase our arsenal, which means that we are not vulnerable. What’s more, it is also time to switch from the seemingly obvious “waiting for the incident” to the strategy of going against the opponent. The strategy change consists in an offensive attitude towards defence. By thinking like a burglar, we can anticipate their movements and set their own ambushes there. Auditd is certainly a tool with which we can implement it, because it radically increases our picture of the situation.