Azure Security Center recently launched a limited preview of new analytics that leverage auditd records to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Security Center detections for Windows machines, these new capabilities can be used to detect suspicious processes, dubious login attempts, kernel module loading/unloading, and other activities that could indicate that a machine is under attack or have been breached. These are in addition to network detections that were previously available for Linux, as well as Windows, VMs.
How it works
Security Center collects audit records from Linux machines using auditd, one of the most common Linux auditing frameworks. Auditd has the advantage of having been around for a long time and living in the mainline kernel. The auditd system consists of two major components. The first is a set of user-space utilities offering a wide collection of operations allowing administrators to better adjust rules, analyze audit log files or troubleshoot if things are misconfigured. The second is a kernel-level subsystem which is responsible for monitoring system calls, filtering them by given rule set, and writing match messages to a buffer. Both components are communicating through a netlink socket.
Auditd records are collected, aggregated into events, and enriched using the latest version of the Linux OMS agent (the same agent that is used by Security Center today). Audit events are stored in your workspace and analyzed by Security Center. When threats are detected, a Security Center alert like the one below is generated.
How to enable Linux detections
- Upgrade to Security Center Standard tier, if you have not already done so.
- Make sure you are running version 1.4.0-12 (or newer) of the OMS agent for Linux. Agents that were installed by ASC, as part of the platform migration to OMS, are running the newest release. Customers who manually installed the agent, can retrieve the oms agent version, by executing the following command: dpkg -l | grep omsagent
- Make sure auditd is installed on the machine. Red Hat flavors typically already have auditd installed, but Debian based flavors do not. If version 1.4.0-12 was previously installed on a system without auditd, first install auditd, then re-run the 1.4.0-12 (or newer) agent installer with “--upgrade” which will result in the auditd plugin being installed. If the OMS agent detects any issues with auditd data collection, informative messages will be generated that can be found within Log Analytics. The messages will be of type “Operation”.
Note: When auditd data collection is enabled, some auditd rules are also enabled. One rule enables auditing of execve system calls. Under most workloads, the overall resource consumption for auditd data collection is negligible. If, however, the system has a workload that creates 1000’s of processes per second, the CPU utilization for auditd data collection may reach ~10% on low-end systems.
- Request to join the limited preview by sending an email with your subscription ID(s). In the following weeks, auditd data collection will be automatically enabled on workspaces that meet the following criteria: 1) per-node billing, 2) contains Red Hat flavored machines, 3) has Security Solution enabled, 4) Linux machines are running OMS agent with version 1.4.0-12 (or newer). You can also send an email if you prefer not to have auditd enabled.
- Share any feedback with the Security Center team.
To learn more about Security Center threat detection, see the documentation or review case studies from security researchers about how Security Center detects SQL Brute Force attacks, Bitcoin mining, DDoS attack using cyber threat intelligence, and good applications being used maliciously.