Syscall Auditing in Unix

330

Syscall Auditing in Unix

By Prabhat PokharelKB Lead Architect at LogPoint, December 09, 2016. 

Logging defaults from Linux is great for many different aspects of security. Going the step deeper allows for more granular security monitoring with deeper insights. Today in this blog, we introduce how to use auditd to achieve much deeper security analytics.

We will go through auditing of file access in Unix environment using the syscall (system calls). Communication between software and a linux kernel is handled by syscall. 

Here we'll use auditd tool for system call monitoring following the following steps:

1. Installation and rule definition

Install the package auditd as a root user. In this case there was no change as the package was already installed.

syscall installation and rule definition

Add a rule that checks for any read or modification to particular file or directory.

sudo auditctl -w /home/super-user/ -p rwxa

sudo auditctl -w /home/super-user/D1M4.pdf -p rwxa

2. Log forwarding

Once the rule is added, forward the logs from the unix box into the LogPoint appliance.

You can configure the syslog service to perform that. In this case we have used the netcat command.

tail -f /var/log/audit/audit.log | nc 192.168.2.189 6161

3. Parser and signature creation

Create a parser that can combine multiple audit patterns as one log message. Here we have defined two patterns the first pattern will be applied to the syscall auditing. While the second pattern is for users details which we will configure later on. 

syscall create parser

Create a generic signature that can normalize the syscall audit logs

syscall edit signature

4. Issuing access commands

Here we copy the a pdf file from /home/super-user/Documents to /home/super-user/Dropbox 

syscall issuing access commands

You can see the generated events on the LogPoint search interface.

syscall logpoint search interface

Now, the problem is that the we don't have the exact user info associated with the event. However, we have the user user-id (uid) which can be used to lookup against the user list.

5. Uid enrichment

You can extract the user and uid information from the /etc/passwd, format it and send to the LogPoint system. Alternatively, you can insert this to a table and schedule the table to be fetched or send it as a regular syslog message. 

getent passwd | awk -F: ' { print "log=UID_INFO " "user="$1,"uid="$3"\n" }' | nc 192.168.2.189 6161

syscall uid info

Perform a join against the user information to identify the user who has accessed the document.

[norm_id=Syscall comm=cp] as s1 join [norm_id=Syscall log=UID_INFO] as s2 on s1.uid=s2.uid | rename s2.user as user, s1.name as file, s1.cwd as working_dir, s1.comm as command | chart count() by user, command, file, working_dir 

syscell uid info join

[norm_id=Syscall comm=cp dropbox ] as s1 join [norm_id=Syscall log=UID_INFO] as s2 on s1.uid=s2.uid | rename s2.user as user, s1.name as file, s1.cwd as working_dir, s1.comm as command | chart count() by user, command, file, working_dir 

syscell uid info join 2

Note: LogPoint performs one to one join, so enrichment of a given number of log rows requires the same number of enriching rows.  

 

We have covered how to enable and analyse auditd data feeds from your Linux environment.

How are you managing security monitoring on Linux? 

 

More Information

Find out more about our LogPoint SIEM solution and download your FREE Trial Version here . You can also sign up for our upcoming webinars. Read more about it here.

You are always welcome to get in touch, if you have any questions! Find your local LogPoint office.

Why LogPoint?

With LogPoint, you will discover a full enterprise SIEM solution. 

LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.

And the best part..? We have the most predictable licensing model in the industry.