Auditing commands run by a user

With this PoC, you can create specific rules to alert about commands run by the user. To do this, you must first enable Audit logging to capture and log execve system calls so the Wazuh agent can read these logs.

Check our documentation to learn more about the Linux auditd system.

Configuration

Configure your environment as follows to test the PoC.

  1. Run the following command to check that the Linux Auditing System is installed and running on your Ubuntu 20 endpoint.

    # systemctl status auditd.service
    
  2. If auditd is not installed, you can install it with the following command:

    # apt-get install -y auditd
    
  3. Check that /var/ossec/etc/ossec.conf in your Ubuntu 20 endpoint is configured for the agent to read the audit.log file.

    <localfile>
      <log_format>audit</log_format>
      <location>/var/log/audit/audit.log</location>
    </localfile>
    
  4. Restart the Wazuh agent to apply the changes.

    # systemctl restart wazuh-agent
    
  5. Get your current euid in the Ubuntu 20 endpoint. This is needed to monitor the actions of your user. Root user monitoring is not recommended for this test, as it can be quite noisy.

    # echo $EUID
    
  6. Create the rules for your user at /etc/audit/rules.d/wazuh.rules. Make sure to replace <your_user_id> with your current euid.

    -a exit,always -F euid=<your_user_id> -F arch=b32 -S execve -k audit-wazuh-c
    -a exit,always -F euid=<your_user_id> -F arch=b64 -S execve -k audit-wazuh-c
    
  7. Optionally, you can delete old rules.

    # auditctl -D
    
  8. Load rules from file.

    # auditctl -R /etc/audit/rules.d/wazuh.rules
    

Steps to generate the alerts

  1. Log into the Ubuntu 20 endpoint as the monitored user.

  2. Execute a ping to www.google.com

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • data.audit.exe: "/usr/bin/ping"