Configuration

The Linux Audit system generates numerous events for write access, read access, execute access, attribute change, or system call rule. ThreatLockDown uses the key argument in audit rules because it is difficult to distinguish audit events using rules and decoders alone. As previously explained, each audit rule can add a descriptive key value to identify what rule generated a particular audit log entry. We use a CDB list to determine the types of audit rules fired. This list will have the following syntax:

<KEY_NAME>:<VALUE>

where:

  • <KEY_NAME> is the string you used in the argument -k of a file system or system call rule.

  • <VALUE> is one of the following values:

    • write: File system rules with -p w.

    • read: File system rules with -p r.

    • execute: File system rules with -p x.

    • attribute: File system rules with -p a.

    • command: System call rules.

ThreatLockDown server

By default, ThreatLockDown includes an audit CDB list. This CDB list contains audit keys that map against write, read, attribute change, execution, and command events.

Run the command below to view the content of the CDB list:

# cat /var/ossec/etc/lists/audit-keys
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command

You can add your custom key with its value to the list like this:

# echo "<YOUR_KEY>:<VALUE>" >> /var/ossec/etc/lists/audit-keys

Where <YOUR_KEY> is the key set in the audit rule and <VALUE> is used by ThreatLockDown to process the event.

Restart the ThreatLockDown manager any time you modify the CDB list:

# systemctl restart wazuh-manager

Out-of-the-box rules for Audit events are located in the /var/ossec/ruleset/rules/0365-auditd_rules.xml file on the ThreatLockDown server.

Monitored endpoint

  1. To use the Linux Audit system, you must install the audit package on your endpoint. If you do not have this package installed, execute the following command as the root user to install it:

    # yum install -y auditd
    

    Note

    If the audit package is already present on the endpoint before installing the ThreatLockDown agent, the actions below should not be performed. This configuration will be added by default.

  2. Add the configuration below to the ThreatLockDown agent configuration /var/ossec/etc/ossec.conf file. This configures ThreatLockDown to read the audit file log to process events the Linux Audit system detects:

    <localfile>
      <log_format>audit</log_format>
      <location>/var/log/audit/audit.log</location>
    </localfile>
    
  3. Restart the ThreatLockDown agent to apply the changes:

    # systemctl restart wazuh-agent
    
  4. Create proper audit rules using the auditctl command or the audit rules file.

Linux audit alerts are displayed in the Threat Hunting module of the ThreatLockDown dashboard.