"Go" webshell detection--system call audit with AUDITD

This document describes how to monitor the behavior of Webshell execution system commands through the Linux audit system AUDITD.

Test environment: Centos7.0_x64

AUDITD Introduction

The Linux audit system provides a way to track security-related information on a system. Based on pre-configured rules, audit the build log entries to record as much information about the events that occur on the system.

The auditd(or AUDITD daemon) is an important kernel audit component of a Linux system that writes audit records to disk. Using AUDITD, you can implement audit monitoring for the following scenarios:

? Monitoring file Access

? Monitoring system Calls

? Log user command execution

? Logging Security Events

? Perform an audit search

? Statistical summary Report

? Monitor network access

The Linux Audit system architecture looks like this:

Typically we use auditctl to view and control the audit behavior of AUDITD, obtain an audit log, and add or remove audit rules. If you want the audit configuration to remain in effect after the system restarts, persist the configuration through the system file/etc/audit/audit.rules.

Configuration AUDITD Implementing process Audit monitoring

The following command, as root, enables a monitoring audit of the syscall behavior of executing a system command .

# auditctl-d # for testing, clear existing rules

# auditctl-a always,exit-f arch=b64-s execve-k Rule01_exec_command

The above command adds a command execution monitoring rule to the System audit rule, and the definition rule is named Rule01_exec_command.

Viewing the AUDITD log file /var/log/audit/audit.log, you can see that the configuration command itself also generates a log:

Where 1506925689.197 is the timestamp of the audit log, corresponding to 2017/10/214:28:09,698444 is the log message ID.

With this configuration in place, we can perform an effective audit of operating system command execution!

Webshell execution of system command monitoring

1

Deployment and execution Webshell

In the Site Directory /opt/www/php/ deployment Webshell program shell.php, the access address is https://example.com/shell.php. Simulate a hacker to the Webshell program to initiate a request, execute the system command:cat/etc/passwd. Webshell the successful line command, the result is as follows:

2

View and analyze AUDITD Audit Log

Execute the command tail-f/var/log/audit/audit.log, and view the AUDITD audit log synchronously. There are two sets of MSG logs, the message IDs are: 698520 and 698521, respectively. We focus on the analysis of 698520, first look at the log content:

The above 5 messages belong to a group of logs, from the rule Rule01_exec_command, the types are:SYSCALL, Execve, CWD, Path,path. Among them, the top three logs have extremely high value.

type=syscall: Log Rule "Rule01_exec_command" is triggered, uid=996 user, ppid=18259 through parent process, calls/usr/bin/bash, executes command sh, process PID = 13545.

? Type=syscall and Type=execve can see the name and parameters of the executed program

The type=cwd indicates that the directory where the command was executed cwd= "/opt/www/php"

Note the hexadecimal string a2=636174202f6574632f706173737764that appears in Execve, which is the argument that is actually executed for the command. It is possible that the audit system did not translate the string in order to complete the log record as soon as possible. After converting it, the corresponding ASCII string is:cat/etc/passwd

The second set of logs is mainly for the audit of command CAT/ETC/PASSWD . The basic logic, as above, no longer repeat.

3

In-depth analysis of process and file relationships

View the web system Nginx, PHP-FPM related process information in the current operating system, as follows:

Note thatPhp-fpm:pool www is the working process of executing the Webshell command!

Combined with the content and time information of the Web log, it is easy to navigate to the Webshell path to the operating system file /var/www/php/shell.php

4

Carding summary

After the AUDITD log analysis, combined with the operating system process information, Nginx log, the Webshell Execution System command behavior can be traced, the details are as follows:

http://example.com/shell.php?cmd=cat/etc/passwd This URL triggers the Nginx server's call to PHP-FPM. The corresponding file is in the Web directory /opt/www/php.

The process invocation relationships in the Webshell Execution System command are as follows:

Summary & Thinking

At this point, we completed the implementation of the AUDITD based on the Webshell Execution System command audit monitoring, I hope to be helpful to everyone. Of course, this article is just a proof of concept for a technology point application, and if you want to implement it as a product, you might want to consider the following questions:

? Real-time collection of operating system processes and process PID information

? Proactively identify web processes and web directory information

? Audit.log log files are collected and sent to a remote server for collection

? Acquisition and correlation analysis Web Access logs

? Deploy a self-developed or third-party log management system to analyze process information

? Deep learning and understanding of the operating mechanism and parameter configuration of AUDITD

? Rationally configure the operating parameters of AUDITD and accurately evaluate the effect of audit function on system performance

? Does the Windows platform have the same detection mechanism?

AUDITD-based audit information is critical for mission-critical environments and can be used to determine security policy violations and audit user action behavior. The audit itself does not provide additional security for your system, but it can be used to discover behaviors that violate security policies.

AUDITD function is very powerful, this article just from a very small function module for security application exploration, more features and application scenarios look forward to your peers to play! Sometimes, based on the system itself, can also have a good harvest.

1

about the SYSCALL

Using the- s Execve in the above configuration command implements the monitoring of the command execution, or it can be implemented using the- s -syscall as a parameter. Execute system command ausyscall–dump to view all syscall options supported by AUDITD.

"Go" webshell detection--system call audit with AUDITD