Skip to content

[Rule Tuning] Changes to rules due to lack of file changes events in Linux Endpoint Security #1673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

[Rule Tuning] Changes to rules due to lack of file changes events in Linux Endpoint Security #1673

wants to merge 6 commits into from

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Dec 21, 2021

Issues

Resolves #1608

Summary

The current endpoint security for Linux does not log file changes, which cause our rules to not fire when they should.

Here are some points that this PR aims to discuss and solve:

  1. The main issue is that we have cross-platform rules using the file change events, so we cannot simply remove the endpoint security index from them, as this would remove the support for macOS endpoint security, which have the data source used by the rule.
  • We can solve this by converting these (cross-platform) rules to specific OS rules, but which implications this brings? @brokensound77, we would need to deprecate the cross-platform one (and create two new rules), or can I move it to the MacOS folder, modify it and create a new one for Linux?
  1. Auditbeat will not generate file change events in most cases. By default only files located in "/bin", "/usr/bin", "/sbin", "/usr/sbin", "/etc" (base folders) will trigger file change events, subfolders need to be specified, or the recursive option needs to be set to True, which may cause performance issues.
  • Test and provide guidance on Auditbeat configuration

@w0rk3r w0rk3r self-assigned this Dec 21, 2021
@w0rk3r w0rk3r marked this pull request as draft December 21, 2021 23:13
@w0rk3r
Copy link
Contributor Author

w0rk3r commented Dec 21, 2021

Leaving this one in draft until we discuss the implications

w0rk3r
w0rk3r commented Dec 21, 2021
View reviewed changes
rules/linux/persistence_credential_access_modify_auth_module_or_config.toml
Comment on lines +20 to +29
note = """## Config

This rule requires an additional setup in Auditbeat to log changes to the files specified in the query.

In the file_integrity module on Auditbeat configuration file, add these values to the paths section:

```
- /etc/pam.d
```
"""
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can suggest changes to auditbeat configurations in file_integrity or audit_rules section. I'll be using file_integrity to paths and audit_rules for specific files

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Dec 22, 2021

Closing this one as I'm trying to figure out alternative ways of dealing with the issue, some rules aim to monitor files that are located in multiple directories. The file integrity module can solve this with the recursive option. Still, it doesn't contain any information related to the process responsible for the modification, making it impossible to make exclusions.

@w0rk3r w0rk3r closed this Dec 22, 2021
@w0rk3r w0rk3r deleted the lnx_rule_review branch December 22, 2021 17:28
@w0rk3r w0rk3r mentioned this pull request Dec 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Linux OS: macOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug] Update rules to remove the logs-endpoint.events.* index to correct for unsupported file events
1 participant
@w0rk3r