Overview #
Auditd is an auditing utility native to Linux systems. It’s used for accounting actions and changes in a Linux endpoint.
In this use case, Auditd is configured on an Ubuntu endpoint to account for all commands executed by a given user. This includes commands run by a user in sudo mode or after changing to the root user. A custom Argus rule is then configured to alert for suspicious commands.
System Setup #
Infrastructure #
Endpoint:
Ubuntu 22.04 – Auditd is configured to monitor the execution of malicious commands.
Configuration #
Ubuntu Endpoint #
Follow these steps to install Auditd and create the necessary audit rules to track all commands executed by a privileged user:
1. Install and Enable Auditd:
sudo apt -y install auditd
sudo systemctl start auditd
sudo systemctl enable auditd
2. Append Audit Rules:
As the root user, execute the following commands to append audit rules to the /etc/audit/audit.rules file:
echo “-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b32 -S execve -k audit-wazuh-c” >> /etc/audit/audit.rules
echo “-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b64 -S execve -k audit-wazuh-c” >> /etc/audit/audit.rules
3. Reload and Verify Rules:
Reload the rules and confirm that they are in place:
sudo auditctl -R /etc/audit/audit.rules
sudo auditctl -l
Output:
-a always,exit -F arch=b32 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c
-a always,exit -F arch=b64 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c
4. Configure the Argus Agent:
Add the following configuration to the Argus agent’s /var/ossec/etc/ossec.conf file to enable it to read Auditd logs:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
5. Restart the Argus Agent:
sudo systemctl restart wazuh-agent
Argus Server #
Perform these steps to create a CDB list of malicious programs and define rules to detect their execution:
1. Inspect the Lookup File:
Review the key-value pairs in the /var/ossec/etc/lists/audit-keys lookup file:
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
Note: Argus maintains flat file CDB lists, compiled into a binary format for high-performance lookups. For example, /var/ossec/etc/lists/audit-keys corresponds to the compiled file /var/ossec/etc/lists/audit-keys.cdb used in rule lookups.
2. Create a Suspicious Programs List:
Create the /var/ossec/etc/lists/suspicious-programs file and populate it with the following content:
ncat:yellow
nc:red
tcpdump:orange
3. Add the List to the Configuration:
Add the list to the <ruleset> section of the Argus server’s /var/ossec/etc/ossec.conf file:
<list>etc/lists/suspicious-programs</list>
4. Define a High-Severity Rule:
Create a high-severity rule in the /var/ossec/etc/rules/local_rules.xml file to trigger when a “red” program is executed:
<group name=”audit”>
<rule id=”100210″ level=”12″>
<if_sid>80792</if_sid>
<list field=”audit.command” lookup=”match_key_value” check_value=”red”>etc/lists/suspicious-programs</list>
<description>Audit: Highly Suspicious Command executed: $(audit.exe)</description>
<group>audit_command,</group>
</rule>
</group>
5. Restart the Argus Manager:
sudo systemctl restart wazuh-manager
Attack Emulation #
On the Ubuntu endpoint, simulate an attack by installing and running a “red” program (e.g., Netcat):
sudo apt -y install netcat
nc -v
Allow the process to run long enough to ensure it’s captured by Auditd. (Around 30 Seconds)
Visualizing Alerts #
View the alerts in the Argus dashboard by performing the following steps:
1. Navigate to the Threat Hunting module.
2. Use the search bar to query alerts using the following filter:
data.audit.command:nc
This will display alerts for the execution of the unauthorized Netcat program.
By following this guide, you can leverage Argus and Auditd to monitor the execution of malicious commands, enhancing the security of your endpoint.