osquery and file integrity monitoring
In this article we will look into how we can use osquery to check the integrity of the filesystem of FIM. FIM is File Integrity Monitoring which monitors the changes in the filesystem. Usually when a attacker is inside a victim’s machine, the victim will certainly will try to download some scripts/programs to the victims machine so that the attacker can perform privilege escalation. This is valuable if you are searching for movement of any adversary in a system. We will enable logs and check how it works.
We first need to copy the configuration by executing the following command:
$ sudo cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
$ sudo chmod 777 /var/log/osquery/osqueryd.results.log
$ sudo chown user1:user1 /var/log/osquery/osqueryd.results.log
Here my username is user1 change it to your username. As of now security of the log file is not of primary concern so full access has been provided to it.
Now we will create another file called fim.conf and paste the below content [1] to it:
{
"schedule": {
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 30
},
"file_events": {
"query": "SELECT * FROM file_events;",
"removed": false,
"interval": 30
}
},
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"tmp": [
"/tmp/%%"
]
},
"exclude_paths": {
"homes": [
"/home/not_to_monitor/.ssh/%%"
],
"tmp": [
"/tmp/too_many_events/"
]
}
}
I have reduced the interval to 30 seconds in this example. If we look closely into the configuration, we can see that file_paths are monitoring folders /root/.ssh/%% and /home/%/.ssh/%% folders. We will make changes in the .ssh folder of user1 and should see some corresponding logs.
Now lets run the osqueryd with the provided configuration file. Please note that we could have also reduced some the parameter from the command line and moved them into the configuration file but for sake of simplicity, we have kept in the command line. Now lets run the command. We should something as given below:
$ sudo osqueryd --config_path=./fim.conf --verbose --disable_events=false --enable_file_events=true
I0829 21:53:43.966881 6683 init.cpp:413] osquery initialized [version=5.9.1]
I0829 21:53:43.967103 6683 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0829 21:53:43.967227 6683 dispatcher.cpp:78] Adding new service: WatcherRunner (0x5627c4766658) to thread: 140050234865216 (0x5627c4724580) in process 6683
I0829 21:53:43.968624 6684 watcher.cpp:674] osqueryd watcher (6683) executing worker (6685)
I0829 21:53:43.984798 6685 init.cpp:410] osquery worker initialized [watcher=6683]
I0829 21:53:43.985842 6685 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x55a1931da308) to thread: 140002772121152 (0x55a1931d7af0) in process 6685
I0829 21:53:43.985918 6685 rocksdb.cpp:90] Opening RocksDB handle: /var/osquery/osquery.db
I0829 21:53:44.097143 6685 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55a193347ab8) to thread: 140002092635712 (0x55a1931dab10) in process 6685
... [SNIP] ...
I0829 21:53:44.326989 6815 eventfactory.cpp:390] Starting event publisher run loop: inotify
I0829 21:53:44.327065 6816 eventfactory.cpp:390] Starting event publisher run loop: udev
I0829 21:53:44.327100 6685 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x55a19343f648) to thread: 140002369463872 (0x55a193464400) in process 6685
I0829 21:53:50.601716 6817 scheduler.cpp:120] Executing scheduled query crontab: SELECT * FROM crontab;
I0829 21:53:50.608012 6817 query.cpp:119] Storing initial results for new scheduled query: crontab
I0829 21:53:50.608590 6817 scheduler.cpp:201] Found results for query: crontab
I0829 21:54:00.693049 6817 scheduler.cpp:120] Executing scheduled query file_events: SELECT * FROM file_events;
I0829 21:54:00.697213 6817 query.cpp:119] Storing initial results for new scheduled query: file_events
From the above output we can see that crontab and file_events are being called thus we know that our provided configuration file is working.
Lets start another tab or terminal and create a file user’s .ssh folder under home directory. I have created a file called this_is_my_test.txt. We can see that that change has been reflected into the log. You can use tail -f /var/log/osquery/osqueryd.results.log in another terminal window to view the change in realtime.
{"name":"file_events","hostIdentifier":"osquery1","calendarTime":"Wed Aug 30 01:55:01 2023 UTC","unixTime":1693360501,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"CREATED","atime":"1693360473","category":"homes","ctime":"1693360473","gid":"1000","hashed":"1","inode":"804145","md5":"d41d8cd98f00b204e9800998ecf8427e","mode":"0664","mtime":"1693360473","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":"0","target_path":"/home/user1/.ssh/this_is_my_test.txt","time":"1693360473","transaction_id":"0","uid":"1000"},"action":"added"}
{"name":"file_events","hostIdentifier":"osquery1","calendarTime":"Wed Aug 30 01:55:01 2023 UTC","unixTime":1693360501,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1693360473","category":"homes","ctime":"1693360473","gid":"1000","hashed":"0","inode":"804145","md5":"","mode":"0664","mtime":"1693360473","sha1":"","sha256":"","size":"0","target_path":"/home/user1/.ssh/this_is_my_test.txt","time":"1693360473","transaction_id":"0","uid":"1000"},"action":"added"}
{"name":"file_events","hostIdentifier":"osquery1","calendarTime":"Wed Aug 30 01:55:01 2023 UTC","unixTime":1693360501,"epoch":0,"counter":0,"numerics":false,"columns":{"action":"UPDATED","atime":"1693360473","category":"homes","ctime":"1693360473","gid":"1000","hashed":"1","inode":"804145","md5":"d41d8cd98f00b204e9800998ecf8427e","mode":"0664","mtime":"1693360473","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":"0","target_path":"/home/user1/.ssh/this_is_my_test.txt","time":"1693360473","transaction_id":"0","uid":"1000"},"action":"added"}
