| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <[email protected]> |
CC-BY-SA-4.0 |
Logging course: Linux auditing |
Joel Rangsmo <[email protected]> |
© Course authors (CC BY-SA 4.0) |
Introduction to advanced Linux auditing in logging course |
|
#ffffff |
|
section.center {
text-align: center;
}
table strong {
color: #d63030;
}
table em {
color: #2ce172;
}
|
Applications on Linux commonly produce security related log events and store them in text-files or syslog.
Pluggable Authentication Modules provides logging of (most) login attempts.
Let's look at some more options for inspection-based auditing on Linux.
- FIM and inotify
- SELinux and AppArmor
- Audit framework
- eBPF and kprobes
File Integrity Monitoring.
Detected attempts to
Create, Read, Update and Delete
important files/directories.
Good fit for Linux since "everything is a "file"*.
Typically implemented by using a database of file hashes and scheduled checking.
Feature in the Linux kernel to monitor file access.
Watchers can be registered to notify a user-space application about any CRUD operation.
Provides ability to monitor reads and get instant notice without expensive scheduled hashing.
$ sudo inotifywatch \
--event access --event modify --event delete \
--timeout 30 /etc/super_sensitive.conf
Establishing watches...
Finished establishing watches, now collecting statistics.
total access modify filename
7 5 1 /etc/super_sensitive.conf
Security Enhanced Linux.
Extends the basic access control system consisting of file permissions.
Policies define what a user or program can do on the system.
Both are examples of Linux Security Modules.
"Permissive mode" can be used to only log (and not block) policy violations.
AVC avc: denied { name_connect } for pid=1338
comm="nginx" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0
tclass=tcp_socket permissive=0
[...]
AVC avc: denied { read } for name="sdcard" dev="tmpfs" ino=6474
scontext=u:r:untrusted_app_29:s0:c244,c256,c512,c768
tcontext=u:object_r:mnt_sdcard_file:s0
tclass=lnk_file permissive=0 app=com.example.evilapp
[...]
AVC avc: denied { execheap } for pid=3675
comm="chromium-browse"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0
Feature in Linux kernel for activity auditing.
Designed to primarily monitor security related events.
Generated audit records can be consumed by a user-space application for processing/storage.
Only supports one consumer at a time*.
Historically the main consumer of audit framework events.
Provides "rule configuration" and logging to file/remote hosts.
Monitor system calls, file access and "various interesting things".
Performs basic event correlation, allowing user activity tracing even if tools like sudo are used.
type=USER_CMD msg=audit(1700115169.839:611):
pid=8527 uid=1900 auid=1900 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='cwd="/var/www/html/cgi.bin" cmd="whoami" exe="/usr/bin/sudo"
terminal=pts/3 res=success'UID="webapp" AUID="webapp"
[...]
type=NETFILTER_CFG msg=audit(1700164312.524:77):
table=nat:2 family=2 entries=7 op=nft_register_chain pid=1337
subj=system_u:system_r:iptables_t:s0 comm="nft-manager"
[...]
type=ANOM_PROMISCUOUS msg=audit(1700115655.202:694):
dev=wlan0 prom=256 old_prom=0
auid=901 uid=0 gid=0 ses=1AUID="persbrandt" UID="root" GID="root"
-D
-b 8192
-f 1
-a exit,always -F arch=b32 -S mount -S umount -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /usr/sbin/stunnel -p x -k stunnel
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/shadow -k etcpasswd
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootexec
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootexec
-w /etc/sudoers -p rw -k priv_esc
-e 2
auditbeat and osquery are other audit framework consumers.
kprobes can be used to dynamically instrument most kernel functions/routines.
eBPF enables developers to create small programs that can be executed in kernel-space when hooked events occur and do (almost) anything!
Starting to replace audit framework, LSM and similar features due to its flexibility.
- Falco
- Cilium
- eCapture
- Sysmon for Linux
Many amazing, such wow!
There are however some downsides, as always...
Auditing all system activity requires a bunch of CPU cycles and storage space.
As with other inspection-based logging, it ain't always easy to understand why something is happening.
We'll play with auditbeat in the next lab.
If you can't wait, I recommend installing and configuring Falco to detect if a Docker container tries to spawn a shell/initiate a network connection.
