Monitoring root activities - problem with custom decoder and rules.

[Dominik]

Hi there,
I've been using ossec for about half a year now and I'm very happy about
it. Thanks for this great tool.

I have a linux client on which I need to monitor all activities
performed as root. My thought is to watch /root/.bash_history and create
alerts on changes in the file.

So I created a configuration to watch this file in the clients ossec.conf:
 <localfile> 
   <log_format>syslog</log_format> 
   <location>/root/.bash_history</location> 
 </localfile> 



This works well and creates entries in the log archives of the
ossec-sever e.g.:

2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top



I also want to generate alerts.

If I understand correctly, the next steps will be to create a decoder
and a rule. I tried with the following decoder in 
etc/decoder_local.xml


 <decoder name="bash_history"> 
    <program_name>.bash_history</program_name> 
 </decoder> 


and a rule in 
rules/local_rules.xml

 
 <rule id="105412" level="8">  
   <decoded_as>bash_history</decoded_as> 
   <description>Command run as root extracted from bash_history</description> 
 </rule>



This does not create allerts. Thus I used ossec-logtest to see if things go alright:


bin/ossec-logtest -v 
2016/07/07 14:40:56 ossec-testrule: INFO: Reading local decoder file. 
2016/07/07 14:40:56 ossec-testrule: INFO: Started (pid: 4092). 
ossec-testrule: Type one log per line. 

2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top 

**Phase 1: Completed pre-decoding.
     full event: '2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top' 
     hostname: 'ossec-server' 
     program_name: '(null)' 
     log: '2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top' 

**Phase 2: Completed decoding. 
    No decoder matched. 

**Rule debugging: 
    Trying rule: 1 - Generic template for all syslog rules. 
      *Rule 1 matched. 
      *Trying child rules. 
    Trying rule: 5500 - Grouping of the pam_unix rules. 
<and so on...> 


Obviously, the decoder I'm using is not working. Also pre-decoding does
not extract information from this log entry.

How do I advance to get alerts from the root activities extracted from bash_history?

According to the log-archive, OSSEC knows the origin of the message
(/root/.bash_history). Is this available to the decoder or to a rule?

Im also not sure, this is the best approach to observe activities of the
root user. Hints are welcome.

Greetings
Dominik

[robertsc...@gmail.com]

Hi Dominik, not sure if it was a typo up there or not, but the local decoder file should be /var/ossec/etc/local_decoder.xml.  Also, watch the permissions and ownership!
Cheers,
Rob

[Dominik]

Hi Rob,
yes, this was a typo.

ls -l /var/ossec/etc/local_decoder.xml
-rw-r--r-- 1 root root 223 Jul  7 14:26 /var/ossec/etc/local_decoder.xml

Permissions should be OK - OSSEC complains about missing decoders if the file is absent
Dominik

[Jose Luis Ruiz]

Hi Dominik

Maybe the best way is log all in auditd,

Add these 2 lines to /etc/audit/audit.rules:

-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve

You will have logs like the next under audit.log

type=SYSCALL msg=audit(1467905123.502:361): arch=c000003e syscall=59 success=yes exit=0 a0=2567ff0 a1=2567f70 a2=2571bf0 a3=7ffcbac478f0 items=2 ppid=1513 pid=1526 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

if you do a ossec-logtest

type=SYSCALL msg=audit(1467905123.502:361): arch=c000003e syscall=59 success=yes exit=0 a0=2567ff0 a1=2567f70 a2=2571bf0 a3=7ffcbac478f0 items=2 ppid=1513 pid=1526 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


**Phase 1: Completed pre-decoding.
       full event: 'type=SYSCALL msg=audit(1467905123.502:361): arch=c000003e syscall=59 success=yes exit=0 a0=2567ff0 a1=2567f70 a2=2571bf0 a3=7ffcbac478f0 items=2 ppid=1513 pid=1526 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)'
       hostname: 'centos67'
       program_name: '(null)'
       log: 'type=SYSCALL msg=audit(1467905123.502:361): arch=c000003e syscall=59 success=yes exit=0 a0=2567ff0 a1=2567f70 a2=2571bf0 a3=7ffcbac478f0 items=2 ppid=1513 pid=1526 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)'

**Phase 2: Completed decoding.
       decoder: 'auditd'
       action: 'SYSCALL'
       id: '361'
       proto: '59'
       status: 'yes'
       dstuser: '0'
       url: '3'
       extra_data: '/bin/ls'

**Phase 3: Completed filtering (rules).
       Rule id: '80720'
       Level: '0'
       Description: 'Auditd: system call to the kernel'
        

So you need to create a child rule to match with dstuser: '0' in your local_rules.xml

  <rule id="xxxxx" level="10">
    <if_sid>80720</if_sid>
     <user>0</user>
    <description>Root command</description>
  </rule>

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dan (ddp)]

On Thu, Jul 7, 2016 at 9:18 AM, Dominik <reuss...@gmail.com> wrote:
> Hi there,
> I've been using ossec for about half a year now and I'm very happy about
> it. Thanks for this great tool.
>
> I have a linux client on which I need to monitor all activities
> performed as root. My thought is to watch /root/.bash_history and create
> alerts on changes in the file.
>
> So I created a configuration to watch this file in the clients ossec.conf:
> <localfile>
> <log_format>syslog</log_format>
> <location>/root/.bash_history</location>
> </localfile>
>
>
>
> This works well and creates entries in the log archives of the
> ossec-sever e.g.:
>
> 2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top
>

Since this is an entry in archives.log, the header has to be stripped
before using the log entry in a decoder/rule.
So you're left with:

top

>
>
> I also want to generate alerts.
>
> If I understand correctly, the next steps will be to create a decoder
> and a rule. I tried with the following decoder in
> etc/decoder_local.xml
>
>
> <decoder name="bash_history">
> <program_name>.bash_history</program_name>

Out of curiosity I ran the archives.log entry (header and all) through
ossec-logtest.
Even if the header is included this doesn't match the output I get:
# /var/ossec/bin/ossec-logtest
2016/07/07 09:45:58 ossec-testrule: INFO: Reading local decoder file.

2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history

top2016/07/07 09:45:58 ossec-testrule: INFO: Started (pid: 22503).

ossec-testrule: Type one log per line.

**Phase 1: Completed pre-decoding.
full event: ' 2016 Jul 07 11:06:28 (TheClient)
xx.xx.71.109->/root/.bash_history top'

hostname: 'ipyr'

program_name: '(null)'
log: ' 2016 Jul 07 11:06:28 (TheClient)
xx.xx.71.109->/root/.bash_history top'

**Phase 2: Completed decoding.
No decoder matched.

I think looking at Jose's solution is your best bet.

[Dominik]

Hi Jose,
thanks - this seems to be the way to go. I managed to get auditd-messages to the ossec-server.

However, my system seems to be setup differently.

bin/ossec-logtest -v
2016/07/07 16:05:00 ossec-testrule: INFO: Reading local decoder file.
2016/07/07 16:05:00 ossec-testrule: INFO: Started (pid: 10047).

ossec-testrule: Type one log per line.

type=SYSCALL msg=audit(1467900136.633:792): arch=c000003e syscall=59 success=yes exit=0 a0=1a1ca28 a1=1a
29ac8 a2=1a22008 a3=598 items=2 ppid=2872 pid=2883 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ls" exe="/bin/ls" key=(null)

**Phase 1: Completed pre-decoding.
       full event: 'type=SYSCALL msg=audit(1467900136.633:792): arch=c000003e syscall=59 success=yes exit=0 a0=1a1ca28 a1=1a'
       hostname: 'Birnbaum'
       program_name: '(null)'
       log: 'type=SYSCALL msg=audit(1467900136.633:792): arch=c000003e syscall=59 success=yes exit=0 a0=1a1ca28 a1=1a'

**Phase 2: Completed decoding.
       decoder: 'auditd'

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.

    <long list of Trying rule: ...>

It seems that you have different decoders and filters. No rule exists with a rule number 80720

grep -r 80720 rules/*

does not result in a record.

Im running the current ossec available from
deb http://ossec.wazuh.com/repos/apt/ubuntu trusty main

What do I need to adjust?

Greetings
Dominik

[dan (ddp)]

Looks like this is part of the Wazuh ruleset:
https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/auditd_rules.xml

[Jose Luis Ruiz]

Hi Dominik

You can install Wazuh Ruleset: http://documentation.wazuh.com/en/latest/ossec_ruleset.htm

Auditd rules and decoders are included.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

[Dominik]

Thanks Jose.
I installed the ruleset and it works fine now. I'll have to learn about auditd and its messages a little more.

As a side note: you can only access your link if you have an account on readthedocs. Moreover, the direct link does not work, even if logged in.
The following worked for me (after logging in):

http://wazuh-documentation.readthedocs.io/en/latest/ossec_ruleset.html?highlight=latest

Thanks for the great support.
Dominik

[Jose Luis Ruiz]

You are right

Here the correct link, i forget the “l” at the end.

http://documentation.wazuh.com/en/latest/ossec_ruleset.html

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com