Monitoring file and directory access

In this example, we monitor various types of access to the /home directory of the monitored endpoint. This includes write, read, execution access, and changes in the directory's attributes.

Ubuntu endpoint

  1. Run the commands below to configure the following audit rules:

    # echo "-w /home -p w -k audit-wazuh-w" >> /etc/audit/audit.rules
# echo "-w /home -p a -k audit-wazuh-a" >> /etc/audit/audit.rules
# echo "-w /home -p r -k audit-wazuh-r" >> /etc/audit/audit.rules
# echo "-w /home -p x -k audit-wazuh-x" >> /etc/audit/audit.rules

  2. Reload the audit rules to apply the changes:

    # auditctl -R /etc/audit/audit.rules
# auditctl -l

    -w /home -p w -k audit-wazuh-w
-w /home -p a -k audit-wazuh-a
-w /home -p r -k audit-wazuh-r
-w /home -p x -k audit-wazuh-x

Audit configuration alerts are displayed in the Threat Hunting module of the ThreatLockDown dashboard.

Audit configuration alerts

Note

While it would be possible to define the previous audit rules as one rule specifying -p warx,we intentionally separate them out. So, each rule has its own unique key value that is important for analysis.

Test the configuration

Perform the following actions on the monitored endpoint.

Create a new file

Run the command below to create a new file in the /home directory:

$ touch /home/malware.py

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80790 filter to query the alert.

Create a new file alert

Write access

Run the command below to read the new file:

$ nano /home/malware.py

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80784 filter to query the alert.

Write access alert

Change permissions

Run the command below to change the permission of the /home/malware.py file:

$ chmod u+x /home/malware.py

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80787 filter to query the alert.

Change permissions alert

Read and execute access

Run the command below to execute the /home/malware.py file:

$ /home/malware.py

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and apply the rule.id: (80784 or 80789) filters to query the alerts.

Read and execute access alert

Delete file

Run the command below to delete the /home/malware.py file:

$ rm /home/malware.py

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80791 filter to query the alert.

Delete file alert