Auditing who-data in Linux

How it works

The who-data monitoring functionality uses the Linux Audit subsystem to get the information about who made the changes in a monitored directory. These changes produce audit events that are processed by syscheck and reported to the manager.

Configuration

Firstly we need to check if the Audit daemon is installed in our system.

In RedHat based system, Auditd is commonly installed by default. If it's not installed, we need to install it using the following command:

# yum install audit

For Debian based systems, use the following:

# apt install auditd

Next step is to configure syscheck to enable who-data monitoring in the selected folder in our ossec.conf file:

<syscheck>
  <directories check_all="yes" whodata="yes">/etc</directories>
</syscheck>

Once this configuration is added, we need to restart Wazuh to apply the changes.

We can check if the Audit rule for monitoring the selected folder is applied. To check that, we need to execute the following command:

# auditctl -l | grep wazuh_fim

and check in the command output that the rule was added:

# auditctl -w /etc -p wa -k wazuh_fim

When the agent is stopped, we can use the same command to check that the added rule was successfully removed.

Alert fields

The following fields are received in FIM alerts when who-data is enabled:

(Audit) User

Contains the ID and name of the user who started the process that modified the monitored file.

audit.user.id

audit.user.name

(Audit) Login user

Contains the Audit user ID and name, they correspond respectivey to the login UID and login name. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes.

audit.login_user.id

audit.login_user.name

(Audit) Effective user

Contains the effective ID and name of the user who started the process that modified the monitored file.

audit.effective_user.id

audit.effective_user.name

(Audit) Group

Contains the group ID and group name of the user who started the process that modified the monitored file.

audit.group.id

audit.group.name

(Audit) Process id

(Audit) Process name

Contains the ID and name of the process used to modify the monitored file.

audit.process.id

audit.process.name

audit.process.ppid

Contains the parent process ID of the process used to modify the monitored file.

Alert examples

In the following example we can see how the user Smith added a new IP to the file /etc/hosts.allow using the nano editor with sudo privileges:

Alert in log format:

** Alert 1531224328.2834462: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,
2018 Jul 10 14:05:28 (vpc-agent-debian) any->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/hosts.allow'
Size changed from '421' to '433'
Old md5sum was: '4b8ee210c257bc59f2b1d4fa0cbbc3da'
New md5sum is : 'acb2289fba96e77cee0a2c3889b49643'
Old sha1sum was: 'd3452e66d5cfd3bcb5fc79fbcf583e8dec736cfd'
New sha1sum is : 'b87a0e558ca67073573861b26e3265fa0ab35d20'
Old sha256sum was: '6504e867b41a6d1b87e225cfafaef3779a3ee9558b2aeae6baa610ec884e2a81'
New sha256sum is : 'bfa1c0ec3ebfaac71378cb62101135577521eb200c64d6ee8650efe75160978c'
(Audit) User: 'root (0)'
(Audit) Login user: 'smith (1000)'
(Audit) Effective user: 'root (0)'
(Audit) Group: 'root (0)'
(Audit) Process id: '82845'
(Audit) Process name: '/bin/nano'
What changed:
10a11,12
> 10.0.12.34
Attributes:
 - Size: 433
 - Permissions: 100644
 - Date: Tue Jul 10 14:05:28 2018
 - Inode: 268234
 - User: root (0)
 - Group: root (0)
 - MD5: acb2289fba96e77cee0a2c3889b49643
 - SHA1: b87a0e558ca67073573861b26e3265fa0ab35d20
 - SHA256: bfa1c0ec3ebfaac71378cb62101135577521eb200c64d6ee8650efe75160978c

Alert in JSON format:

{
  "timestamp":"2018-07-10T14:05:28.452-0800",
  "rule":{
      "level":7,
      "description":"Integrity checksum changed.",
      "id":"550",
      "firedtimes":10,
      "mail":false,
      "groups":[
          "ossec",
          "syscheck"
      ],
      "pci_dss":[
          "11.5"
      ],
      "gpg13":[
          "4.11"
      ],
      "gdpr":[
          "II_5.1.f"
      ]
  },
  "agent":{
      "id":"058",
      "ip": "10.0.0.121",
      "name":"vpc-agent-debian"
  },
  "manager":{
      "name":"vpc-wazuh-manager"
  },
  "id":"1531224328.283446",
  "syscheck":{
      "path":"/etc/hosts.allow",
      "size_before":"421",
      "size_after":"433",
      "perm_after":"100644",
      "uid_after":"0",
      "gid_after":"0",
      "md5_before":"4b8ee210c257bc59f2b1d4fa0cbbc3da",
      "md5_after":"acb2289fba96e77cee0a2c3889b49643",
      "sha1_before":"d3452e66d5cfd3bcb5fc79fbcf583e8dec736cfd",
      "sha1_after":"b87a0e558ca67073573861b26e3265fa0ab35d20",
      "sha256_before":"6504e867b41a6d1b87e225cfafaef3779a3ee9558b2aeae6baa610ec884e2a81",
      "sha256_after":"bfa1c0ec3ebfaac71378cb62101135577521eb200c64d6ee8650efe75160978c",
      "uname_after":"root",
      "gname_after":"root",
      "mtime_before":"2018-07-10T14:04:25",
      "mtime_after":"2018-07-10T14:05:28",
      "inode_after":268234,
      "diff":"10a11,12\n> 10.0.12.34\n",
      "event":"modified",
      "audit":{
          "user":{
              "id":"0",
              "name":"root"
          },
          "group":{
              "id":"0",
              "name":"root"
          },
          "process":{
              "id":"82845",
              "name":"/bin/nano",
              "ppid":"3195"
          },
          "login_user":{
              "id":"1000",
              "name":"smith"
          },
          "effective_user":{
              "id":"0",
              "name":"root"
          }
      }
  },
  "decoder":{
      "name":"syscheck_integrity_changed"
  },
  "location":"syscheck"
}