Better security auditing with Auditd and the Integrity Measurement Architecture
Visibility Logs
If IMA and auditd are configured correctly, events from the log can be sent to the SIEM or log management system. A full-featured log management system will make it easier to search and correlate information. It will certainly be a good way to react faster to suspicious events or attacks. Values for the file hash, path, UID, or GID can help to detect possible security issues related to the event.
Graylog is a centralized logging solution that allows the user to aggregate and search through logs. Graylog provides a means for storing logs at a centralized location. (Keeping all the logs in one place helps you identify the issues easily.) You can use Graylog to collect and analyze logs from various sources: operating systems, application servers, hardware, and software firewalls. Graylog also helps you monitor websites, web applications, and other areas of IT infrastructure.
Figure 1 shows an example of the same event that was generated when I launched the script script.sh
.
Once everything is configured, you can monitor your system and also hunt for threats. It is worth configuring your rules in such a way that they detect the events that are most important. If you aren't sure which rules are the most useful in detecting threats, it could be worth reaching for the MITER ATT&CK Framework.
Uncovering an Attack
The MITRE ATT&CK framework [3] is a knowledge base and model for documenting the life cycle and behavior of cyber attacks. The framework documents attacker tactics and techniques based on real-world observations. MITRE also helps to categorize adversary action and recommends specific ways of defending against an attack. The reports can vary in depth and insight – unfortunately, not all techniques are easily mapped.
If you know the details of how an attacker operates, it is much easier to search the audit log for evidence of an attack. MITRE is a good source for that preliminary attack information.
As an example, suppose you were checking to see if the Rocke group had infiltrated your system? According to the MITRE website [4]:
Rocke is an alleged Chinese-speaking adversary whose primary objective appears to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.
The group specializes in attacks on Linux systems.
MITRE ATT&CK gives each technique its own number. The number is used to map the technique to auditd, which makes it possible to distinguish which technique the alert concerns, as follows:
- T1140 Deobfuscate/Decode Files or Information
According to this alert, which appears in the -k
(keyname) field of the auditd log entry, Rocke group has extracted tar.gz
files after downloading them from a command and control server. A report at MITRE ATT&CK says that Rocke group downloads payloads hosted on a legitimate website (Pastebin.com). The group uses the curl
or wget
utilities to download payloads to execute with a bash shell.
-w /usr/bin/wget -p x -k T1140-Deobfuscate-Decode-Files-or-Information -w /usr/bin/curl -p x -k T1140-Deobfuscate-Decode-Files-or-Information
In the same step, the group decodes commands from binary into ASCII format using Base64:
-w /usr/bin/base64 -p x -k T1140-Deobfuscate-Decode-Files-or-Information
The Bitcoin miner itself is downloaded using shell scripts, curl, or wget from another location other than Pastebin. First, a config.json
file containing the miner configuration data is downloaded, and then the rest of the miner. Next the group downloads mining executables from its own Git repositories and saves them under the filename java
or kworkerds
in the /tmpv
, /var/tmp
, or /dev/shm
directory. Understanding this kind of behavior lets you make rules to detect it.
- T1053.003 Scheduled Task/Job: Cron
Rocke has installed a cron job that downloads and executes files from the command and control center.
Rocke creates cron jobs that persist on the victim's systems, which lets the attacker execute commands on a schedule without the need to be logged in. Rocke manipulates cron jobs, replacing the cron schedule and placing a malicious script in a folder that will execute hourly, daily, or weekly as part of existing cron jobs (Listing 3).
Listing 3
Tricks with Cron
-w /etc/cron.daily/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.hourly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.monthly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.weekly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /var/spool/cron/crontabs/ -p wa -k T1053.003-Scheduled Task-Job-Cron
- T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking
This alert shows that Rocke has modified /etc/ld.so.preload
to hook libc
functions in order to hide the installed dropper and mining software in process lists. The group uses the open source tool libprocesshider
to hide the process, before executing a file that modifies /etc/ld.so.preload
.
-w /etc/ld.so.preload -p wa -k T1574.006-Hijack-Execution-Flow-Dynamic-Linker-Hijacking
This information on the Rocke group makes it easy to search the audit log for a Rocke attack (refer to Listing 1). You can use the log to uncover:
- The path of the file that was executed and the path of its parent
- The PID and parent PID (PPID) of the executable
- The hash value of the file
- The UID, GID, and EUID of the process owner
You can then check whether an earlier version of the hash is already in a database, and if so, comparing the versions could indicate whether file has been altered.
Conclusion
IMA, together with auditd, can certainly help you protect your systems. Of course, this setup won't cover all security surfaces, but being able to recognize hashes and expose attack techniques can help you detect threats faster. In addition to supporting faster threat recognition, IMA also lets you customize your rules. As you can see from the Rocke group example, you can use the Linux auditing system to discover techniques and tools that might indicate an attack.
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.