Better security auditing with Auditd and the Integrity Measurement Architecture
Visibility Logs
If IMA and auditd are configured correctly, events from the log can be sent to the SIEM or log management system. A full-featured log management system will make it easier to search and correlate information. It will certainly be a good way to react faster to suspicious events or attacks. Values for the file hash, path, UID, or GID can help to detect possible security issues related to the event.
Graylog is a centralized logging solution that allows the user to aggregate and search through logs. Graylog provides a means for storing logs at a centralized location. (Keeping all the logs in one place helps you identify the issues easily.) You can use Graylog to collect and analyze logs from various sources: operating systems, application servers, hardware, and software firewalls. Graylog also helps you monitor websites, web applications, and other areas of IT infrastructure.
Figure 1 shows an example of the same event that was generated when I launched the script script.sh
.
Once everything is configured, you can monitor your system and also hunt for threats. It is worth configuring your rules in such a way that they detect the events that are most important. If you aren't sure which rules are the most useful in detecting threats, it could be worth reaching for the MITER ATT&CK Framework.
Uncovering an Attack
The MITRE ATT&CK framework [3] is a knowledge base and model for documenting the life cycle and behavior of cyber attacks. The framework documents attacker tactics and techniques based on real-world observations. MITRE also helps to categorize adversary action and recommends specific ways of defending against an attack. The reports can vary in depth and insight – unfortunately, not all techniques are easily mapped.
If you know the details of how an attacker operates, it is much easier to search the audit log for evidence of an attack. MITRE is a good source for that preliminary attack information.
As an example, suppose you were checking to see if the Rocke group had infiltrated your system? According to the MITRE website [4]:
Rocke is an alleged Chinese-speaking adversary whose primary objective appears to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.
The group specializes in attacks on Linux systems.
MITRE ATT&CK gives each technique its own number. The number is used to map the technique to auditd, which makes it possible to distinguish which technique the alert concerns, as follows:
- T1140 Deobfuscate/Decode Files or Information
According to this alert, which appears in the -k
(keyname) field of the auditd log entry, Rocke group has extracted tar.gz
files after downloading them from a command and control server. A report at MITRE ATT&CK says that Rocke group downloads payloads hosted on a legitimate website (Pastebin.com). The group uses the curl
or wget
utilities to download payloads to execute with a bash shell.
-w /usr/bin/wget -p x -k T1140-Deobfuscate-Decode-Files-or-Information -w /usr/bin/curl -p x -k T1140-Deobfuscate-Decode-Files-or-Information
In the same step, the group decodes commands from binary into ASCII format using Base64:
-w /usr/bin/base64 -p x -k T1140-Deobfuscate-Decode-Files-or-Information
The Bitcoin miner itself is downloaded using shell scripts, curl, or wget from another location other than Pastebin. First, a config.json
file containing the miner configuration data is downloaded, and then the rest of the miner. Next the group downloads mining executables from its own Git repositories and saves them under the filename java
or kworkerds
in the /tmpv
, /var/tmp
, or /dev/shm
directory. Understanding this kind of behavior lets you make rules to detect it.
- T1053.003 Scheduled Task/Job: Cron
Rocke has installed a cron job that downloads and executes files from the command and control center.
Rocke creates cron jobs that persist on the victim's systems, which lets the attacker execute commands on a schedule without the need to be logged in. Rocke manipulates cron jobs, replacing the cron schedule and placing a malicious script in a folder that will execute hourly, daily, or weekly as part of existing cron jobs (Listing 3).
Listing 3
Tricks with Cron
-w /etc/cron.daily/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.hourly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.monthly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.weekly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /var/spool/cron/crontabs/ -p wa -k T1053.003-Scheduled Task-Job-Cron
- T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking
This alert shows that Rocke has modified /etc/ld.so.preload
to hook libc
functions in order to hide the installed dropper and mining software in process lists. The group uses the open source tool libprocesshider
to hide the process, before executing a file that modifies /etc/ld.so.preload
.
-w /etc/ld.so.preload -p wa -k T1574.006-Hijack-Execution-Flow-Dynamic-Linker-Hijacking
This information on the Rocke group makes it easy to search the audit log for a Rocke attack (refer to Listing 1). You can use the log to uncover:
- The path of the file that was executed and the path of its parent
- The PID and parent PID (PPID) of the executable
- The hash value of the file
- The UID, GID, and EUID of the process owner
You can then check whether an earlier version of the hash is already in a database, and if so, comparing the versions could indicate whether file has been altered.
Conclusion
IMA, together with auditd, can certainly help you protect your systems. Of course, this setup won't cover all security surfaces, but being able to recognize hashes and expose attack techniques can help you detect threats faster. In addition to supporting faster threat recognition, IMA also lets you customize your rules. As you can see from the Rocke group example, you can use the Linux auditing system to discover techniques and tools that might indicate an attack.
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
KaOS 2022.06 Now Available With KDE Plasma 5.25
The newest iteration of KaOS Linux not only adds the latest KDE Plasma desktop but sets LibreOffice as the default.
-
Manjaro 21.3.0 Is Now Available
Manjaro “Ruah” has been released and includes the latest Calamares installer, GNOME 42, and much more.
-
SpiralLinux is a New Linux Distribution Focused on Simplicity
A new Linux distribution, from the creator of GeckoLinux, is a Debian-based operating system with a focus on simplicity and ease of use.
-
HP Dev One Linux Laptop is Now Available for Pre-Order
The System76/HP collaboration Dev One laptop, geared toward developers, is now available for pre-order.
-
NixOS 22.5 Is Now Available
The latest release of NixOS with a much-improved package manager and a user-friendly graphical installer.
-
System76 Teams up with HP to Create the Dev One Laptop
HP and System76 have come together to develop a new laptop, powered by Pop!_OS and aimed toward developers.
-
Titan Linux is a New KDE Linux Based on Debian Stable
Titan Linux is a new Debian-based Linux distribution that features the KDE Plasma desktop with a focus on usability and performance.
-
Danielle Foré Has an Update for elementary OS 7
Now that Ubuntu 22.04 has been released, the team behind elementary OS is preparing for the upcoming 7.0 release.
-
Linux New Media Launches Open Source JobHub
New job website focuses on connecting technical and non-technical professionals with organizations in open source.
-
Ubuntu Cinnamon 22.04 Now Available
Ubuntu Cinnamon 22.04 has been released with all the additions from upstream as well as other features and improvements.