Better security auditing with Auditd and the Integrity Measurement Architecture
Visibility Logs
If IMA and auditd are configured correctly, events from the log can be sent to the SIEM or log management system. A full-featured log management system will make it easier to search and correlate information. It will certainly be a good way to react faster to suspicious events or attacks. Values for the file hash, path, UID, or GID can help to detect possible security issues related to the event.
Graylog is a centralized logging solution that allows the user to aggregate and search through logs. Graylog provides a means for storing logs at a centralized location. (Keeping all the logs in one place helps you identify the issues easily.) You can use Graylog to collect and analyze logs from various sources: operating systems, application servers, hardware, and software firewalls. Graylog also helps you monitor websites, web applications, and other areas of IT infrastructure.
Figure 1 shows an example of the same event that was generated when I launched the script script.sh
.
Once everything is configured, you can monitor your system and also hunt for threats. It is worth configuring your rules in such a way that they detect the events that are most important. If you aren't sure which rules are the most useful in detecting threats, it could be worth reaching for the MITER ATT&CK Framework.
Uncovering an Attack
The MITRE ATT&CK framework [3] is a knowledge base and model for documenting the life cycle and behavior of cyber attacks. The framework documents attacker tactics and techniques based on real-world observations. MITRE also helps to categorize adversary action and recommends specific ways of defending against an attack. The reports can vary in depth and insight – unfortunately, not all techniques are easily mapped.
If you know the details of how an attacker operates, it is much easier to search the audit log for evidence of an attack. MITRE is a good source for that preliminary attack information.
As an example, suppose you were checking to see if the Rocke group had infiltrated your system? According to the MITRE website [4]:
Rocke is an alleged Chinese-speaking adversary whose primary objective appears to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.
The group specializes in attacks on Linux systems.
MITRE ATT&CK gives each technique its own number. The number is used to map the technique to auditd, which makes it possible to distinguish which technique the alert concerns, as follows:
- T1140 Deobfuscate/Decode Files or Information
According to this alert, which appears in the -k
(keyname) field of the auditd log entry, Rocke group has extracted tar.gz
files after downloading them from a command and control server. A report at MITRE ATT&CK says that Rocke group downloads payloads hosted on a legitimate website (Pastebin.com). The group uses the curl
or wget
utilities to download payloads to execute with a bash shell.
-w /usr/bin/wget -p x -k T1140-Deobfuscate-Decode-Files-or-Information -w /usr/bin/curl -p x -k T1140-Deobfuscate-Decode-Files-or-Information
In the same step, the group decodes commands from binary into ASCII format using Base64:
-w /usr/bin/base64 -p x -k T1140-Deobfuscate-Decode-Files-or-Information
The Bitcoin miner itself is downloaded using shell scripts, curl, or wget from another location other than Pastebin. First, a config.json
file containing the miner configuration data is downloaded, and then the rest of the miner. Next the group downloads mining executables from its own Git repositories and saves them under the filename java
or kworkerds
in the /tmpv
, /var/tmp
, or /dev/shm
directory. Understanding this kind of behavior lets you make rules to detect it.
- T1053.003 Scheduled Task/Job: Cron
Rocke has installed a cron job that downloads and executes files from the command and control center.
Rocke creates cron jobs that persist on the victim's systems, which lets the attacker execute commands on a schedule without the need to be logged in. Rocke manipulates cron jobs, replacing the cron schedule and placing a malicious script in a folder that will execute hourly, daily, or weekly as part of existing cron jobs (Listing 3).
Listing 3
Tricks with Cron
-w /etc/cron.daily/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.hourly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.monthly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.weekly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /var/spool/cron/crontabs/ -p wa -k T1053.003-Scheduled Task-Job-Cron
- T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking
This alert shows that Rocke has modified /etc/ld.so.preload
to hook libc
functions in order to hide the installed dropper and mining software in process lists. The group uses the open source tool libprocesshider
to hide the process, before executing a file that modifies /etc/ld.so.preload
.
-w /etc/ld.so.preload -p wa -k T1574.006-Hijack-Execution-Flow-Dynamic-Linker-Hijacking
This information on the Rocke group makes it easy to search the audit log for a Rocke attack (refer to Listing 1). You can use the log to uncover:
- The path of the file that was executed and the path of its parent
- The PID and parent PID (PPID) of the executable
- The hash value of the file
- The UID, GID, and EUID of the process owner
You can then check whether an earlier version of the hash is already in a database, and if so, comparing the versions could indicate whether file has been altered.
Conclusion
IMA, together with auditd, can certainly help you protect your systems. Of course, this setup won't cover all security surfaces, but being able to recognize hashes and expose attack techniques can help you detect threats faster. In addition to supporting faster threat recognition, IMA also lets you customize your rules. As you can see from the Rocke group example, you can use the Linux auditing system to discover techniques and tools that might indicate an attack.
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.