These tools are more commonly classified as SIEM software. A classic and obvious example of such SIEM software is Tripwire. And with the addition of modern VC-attention-grabbing-buzz-words such as machine learningand Big Data there are a ton of SIEM alternatives to choose from nowadays. Tripwire and its ilk and the promises they make can easily be brought up in conversation if you're inclined to win this week's edition of the bullshit bingo. Maybe an idea for when you're attending your daily agile-development-stand-up meeting. Get your post-its ready kids! But that's not really what I was looking for. Those tools definitely have their use cases but they're overkill for my purposes.
Yours truly wanted something nimble and simple. The tool should be easily installable on most modern Linux machines as well as being easily extensible with extra features. As such I relatively quickly settled on writing it in Python (3.x to be exact, it's 2017 after all) based on just standard Python libraries without any external dependencies (*cough*). Also no complicated daemon setups or installation procedures should be necessary. Simply dropping a tarball with some Python scripts on a machine should be sufficient to get the tool up and running. That way any automation can be easily achieved via CI/devops-like tools such as puppet or ansible if so desired.
Besides that I wanted to be able to easily extend it. So I made the decision to simply rely on shell commands. Please note that it's pretty much always sane advice to NOT rely on parsing output of command line tools such as GNU core-utils' ls. I opted to do it in this case anyway! This for the simple reason that I want a tool I can extend really quickly when doing projects. Reliability of results can be guaranteed for individual projects and quickly monitored and tested for anyway. There's an obvious difference in needs for reliability between having a tool which needs to work across hundreds of different Linux/UNIX-like machines and always yield reliable results without breaking down.
Some of the common pitfalls for example include the parsing of filenames when dealing with command line output (see here and here). However don't let this dissuade anyone from the fact that in realistic scenario's one totally gets away with parsing this output. Simply put there's already a ton of software out there which relies on the results of, for example, GNU core-utils' ls. As such there was a huge uproar when the developers of that command line utility changed the default output of ls to quote filenames as can be seen at stackexchange.
Having said all that the tool being introduced here has only been thoroughly tested on Ubuntu and Debian machines. There's no Operating System detection taking place just yet nor any adjustment of GNU specific parameters towards their BSD equivalents (e.g. ls --color=yes versus ls -G respectively). It should take a minimal amount of work to get it up and running on other systems though.
Without further ado. Here's some sample output of dawgmon -- dawg the hallway monitor. One first needs to run the tool to establish a baseline. This baseline is then used to compare the new results against. A sample run in which there's already a baseline and in which we open a port and then close it again might look as follows:
# ./dawgmon -gfA0 changes detected (0 warnings)# nc -l -p 4455 & [1] 124891 change detected (0 warnings)# ./dawgmon -gfA + port 4455 tcp opened # fg1 change detected (0 warnings)nc -l -p 4455 ^C # ./dawgmon -gfA + port 4455 tcp closed#
As we can see in the output above the tool correctly detects that the port was closed. It does NOT do this by hooking into netlink libraries; it simply parses the output of netstat and compares it with the previously cached results.
In this example the baseline has already been cached and on the first run of dawgmon we discover zero changes. Then Virtual Box is being installed and another run of dawgmon yields a pretty useful list of detected attack surface.
# ./dawgmon -gfA0 changes detected (0 warnings)# apt install virtualbox-5.1 [...]33 changes detected (0 warnings)# ./dawgmon -gfA+ file /etc/group got modified on 2017-09-14 19:29:51.804811 +0200+ size of file /etc/group changed from 937 to 954+ file /etc/group- got modified on 2017-09-14 19:29:14.000000 +0200+ size of file /etc/group- changed from 934 to 937+ size of file /etc/gshadow- changed from 777 to 794+ file /etc/gshadow got modified on 2017-09-14 19:29:51.812811 +0200+ file /etc/mailcap got modified on 2017-09-14 19:29:51.632812 +0200+ size of file /etc/mailcap changed from 40777 to 41063+ file /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=49)+ file /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=51)+ file /etc/systemd/system/multi-user.target.wants/vboxweb-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=43)+ file /etc/systemd/system/multi-user.target.wants/vboxdrv.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=35) + file /etc/udev/rules.d/60-vboxdrv.rules got created (owner=root, group=root, perm=-rw-r--r--, size=747) + group vboxusers added+ suid binary /usr/lib/virtualbox/VBoxNetDHCP got created (owner=root, group=root, perm=-r-s--x--x, size=158304)+ package virtualbox-5.1 is to be installed + suid binary /usr/lib/virtualbox/VBoxHeadless got created (owner=root, group=root, perm=-r-s--x--x, size=158304) + suid binary /usr/lib/virtualbox/VBoxNetAdpCtl got created (owner=root, group=root, perm=-r-s--x--x, size=23144)+ suid binary /usr/lib/virtualbox/VBoxVolInfo got created (owner=root, group=root, perm=-r-s--x--x, size=10472)+ suid binary /usr/lib/virtualbox/VBoxNetNAT got created (owner=root, group=root, perm=-r-s--x--x, size=158304) + suid binary /usr/lib/virtualbox/VBoxSDL got created (owner=root, group=root, perm=-r-s--x--x, size=158296) + suid binary /usr/lib/virtualbox/VirtualBox got created (owner=root, group=root, perm=-r-s--x--x, size=158304)+ systemd unit file vboxweb-service.service added+ i-node for listening UNIX socket /run/systemd/private changed from 3428734 to 3452848 + systemd property NInstalledJobs changed from 8392199 to 3238035463 + systemd property NNames changed from 261 to 263 + systemd unit file vboxautostart-service.service added + systemd unit file vboxballoonctrl-service.service added + systemd unit file vboxdrv.service added + systemd unit 'vboxautostart-service.service' added+ systemd unit 'vboxweb-service.service' added+ systemd unit 'vboxballoonctrl-service.service' added+ systemd unit 'vboxdrv.service' added
Please note that this does not mean that there's anything wrong with any of these things per se; just that if I were so inclined to start examining Virtual Box for local privilege escalation bugs I know where to start (the suid root binaries seem like a good place to do so -- an implementation bug there might give one local root access).
The tool has already proved itself very useful for me in my own engagements. Besides that the moderate amount of infrastructure being used by Anvil Ventures is now being monitored too. Instead of having a fancy, complicated and expensive SIEM setup for just a handful of machines dawgmon is simply being run from a crontab with the results being emailed to me once every day. It gives me a bit of an indication what's going on and what changed on the machines as well as warnings such as that the machines need to be rebooted or that inadvertently some configuration files changed or whatever. A screen shot of a part of my inbox to illustrate:
The list of different analysis parts dawgmon implements right now is pretty diverse. It monitors SystemD changes, System V IPC, UNIX sockets, TCP/UDP ports, processes and changes to /etc and /boot and more. For caveats check the README included in the source code. Current output of the available commands in the current 1.0 release of dawgmon:
$ ./dawgmon -ENAME DESCRIPTIONcheck_boot analyzes /boot directorycheck_etc analyzes /etc directorycheck_groups analyze UNIX group changescheck_users analyze UNIX user changeskernel_version analyze changes in kernel versionenv monitor changes in environment variableslist_ifaces analyze changes in network interfaceslist_blkdev analyze changes in available block devices list_mount analyze changes in file system mountslist_packages analyze changes in installed Debian packageslist_msq analyze changes in System V message queues list_pipes lists named pipeslist_shm analyze changes in System V shared memory segmentslist_processes monitors changes in the running processes (mostly for debugging) list_sem analyze changes in System V sempahoreslist_tcpudp_ports list changes in listening TCP/UDP ports for both IPv4/IPv6list_suids lists setuid/setgid executables list_sysvinit_jobs analyze changes in available System V init jobs list_unix_ports list changes in listening UNIX portssystemd_sockets list systemd socketslsb_version analyze changes in Linux Standard Base release settings needs_restart checks whether a reboot is required (Ubuntu-only) systemd_props show all systemd properties systemd_timers list systemd timersuptime show uptime and check if reboot happenedsystemd_unitfiles list all available systemd unit filessystemd_units list all available systemd units
I'm eager to hear suggestions for other commands and modules to add so definitely do not hesitate to reach out or simply send me a pull request for patches via github or a patch via email.
The code can be found under the Anvil Ventures github page in the dawgmon repository. Patches, comments, suggestions and criticism is more than welcome. Just contact me on github, twitter or email me directly.
You are provided the information was very useful for me and I want more different details about this topic, keep posting...
ReplyDeleteExcel Training in Chennai
Excel Advanced course
Pega Training in Chennai
corporate training in chennai
Tableau Training in Chennai
Unix Training in Chennai
Oracle Training in Chennai
Spark Training in Chennai
Embedded System Course Chennai
Linux Training in Chennai
I really admired with your post, do share more updates.
ReplyDeleteTally Training in Chennai
Tally course
Tally institute in Chennai
AngularJS course in Chennai
ccna Training in Chennai
PHP course in Chennai
Salesforce course in Chennai
Web Designing Training in Chennai
Tally Course in Velachery
Great blog thanks for sharing Growing your own plant comes with its own challenges and responsibilities. This is why you need a plant nursery in chennai who is ready to help you out throughout the way and guide you through the hurdles of growing a plant - Enter Karuna Nursery Gardens.
ReplyDeleteWonderful Blog!!! Thanks for sharing this great blog with us.
ReplyDeleteIOS Training in Chennai
ios training institute in chennai
Best ios Training institutes in Chennai
ios app development course
IOS training in Guindy
IOS Training in Tambaram
Python Training in Chennai
Big data training in chennai
SEO training in chennai
JAVA Training in Chennai
ReplyDeleteI will really appreciate the writer's choice for choosing this excellent article appropriate to my matter.Here is deep description about the article matter which helped me more. share more details.
Ai & Artificial Intelligence Course in Chennai
PHP Training in Chennai
Ethical Hacking Course in Chennai Blue Prism Training in Chennai
UiPath Training in Chennai
it was a wonderful chance to visit this kind of site and I am happy to know. thank you so much for giving us a chance to have this opportunity.. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points.
ReplyDeleteDot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery
Valuable information ..I am delighted to read this article..thank you for giving us this useful information.
ReplyDeleteCyber Security Training Course in Chennai | Certification | Cyber Security Online Training Course | Ethical Hacking Training Course in Chennai | Certification | Ethical Hacking Online Training Course |
CCNA Training Course in Chennai | Certification | CCNA Online Training Course | RPA Robotic Process Automation Training Course in Chennai | Certification | RPA Training Course Chennai | SEO Training in Chennai | Certification | SEO Online Training Course
That was worth reading blog. Keep up with your wriring skill.
ReplyDeletealso, visit Linux training in Pune