Technology Share | Linux intrusion detection process to create a monitoring

About the author: Zhang Bo, NetEase Senior Information Security Engineer.

About 0x00

In the process of intrusion detection, process creation monitoring is essential, because the vast majority of attacks are the attacker's way of presenting the process, so timely access to information on the new process created to help us quickly locate attack behavior.

This article describes some of the common ways of monitoring the process of creation, including its principle, Demo, conditions of use and advantages and disadvantages. Hasty drafting, if any mistakes and shortcomings, but also hope everyone criticism.

0x01 common way

For now, common access to information process created the following four ways:

So preload
Netlink Connector
Audit
Syscall hook

Here we have the principle, Demo, conditions of use and the advantages and disadvantages to look at these four ways.

0x02 So preload

principle

First introduced two basics with you:

1.Linux most of the executable program is dynamically linked, commonly used functions related to the implementation process, for example, execveare implemented in libc.so this dynamic link library.

2.Linux so preload provides a mechanism that allows the definition of the priority load a dynamic link library, user-friendly functions are the same for selectively loading different dynamic link library.

Combination of these two points is not difficult to obtain, we can be overridden by so preload libc.so of execveother functions to monitor the process of creating.

Demo

Here we have to implement a simple demo.

1. Create a file hook.c, reads as follows:

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>

typedef ssize_t (*execve_func_t)(const char* filename, char* const argv[], char* const envp[]);
static execve_func_t old_execve = NULL;

int execve(const char* filename, char* const argv[], char* const envp[]) {
printf("Running hook\n");
printf("Program executed: %s\n", filename);
old_execve = dlsym(RTLD_NEXT, "execve");
return old_execve(filename, argv, envp);
}

The main part of this document is to redefine the execvefunction, in the original execveprint the name of the executable file before execution.

2. Generate dynamic link library:gcc hook.c-fPIC-shared-o hook.so

3. The dynamic link library generated above to register as preload:echo'/path/to/hook.so'>/etc/ld.so.preload

4. Exit the current shell and log back in (below speaks reason), execute the command to see the code we've written has been performed:

Conditions of Use

This method does not limit what conditions, only to have root privileges (root privileges to do intrusion monitoring program is required, several methods are also behind in the default root privileges).

Advantages and disadvantages

advantage

Lightweight, only modify the function code library, do not interact with the kernel.

Shortcoming

For the fourth step of the method of use, and we may be in doubt: Why must reacquire the shell before they can see the effect of it? This is because the command actually executed (that is executed in the current shell execve) is actually the current shell executable programs, such as bash, bash and the required dynamic link library had been identified at the start of the operation, so we add follow-up the preload will not affect the current bash, add preload process only after the creation of the preload will be affected. This will draw the first disadvantage of this method:

Only affect the process created after the preload, which requires the detection Agent installed sooner the better, as far as possible to complete the installation process started before other applications.

In addition there are the following disadvantages:

Can not monitor statically linked programs: At present, some worms, Trojan horse in order to reduce dependence on the environment are static link does not load shared libraries, this monitoring method in this case becomes ineffective.
Easily found and tampered with by an attacker: At present, some worms, Trojan itself will write back door to /etc/ld.so.preload in order to facilitate its lasting control of the machine, which monitors the way this case will fail.
An attacker can int80hcall the system bypasses the libc call directly, this monitoring method in this case will fail.

0x03 Netlink Connector

principle

Before introducing Netlink Connector, first of all look at what Netlink is, Netlink is a family socket (socket family), that IPC is used for communication between the kernel and user mode process and user mode process, we used the sscommand is through Netlink communicate with the kernel to obtain information.

Connector Netlink Netlink is a, it is Netlink protocol number NETLINK_CONNECTOR, which code is https://github.com/torvalds/linux/tree/master/drivers/connector in which connectors.c and are Netlink Connector of cnqueue.c implementation code, and cnproc.c is an example application, a process called event connector, we can achieve the monitoring of the process created by the connector.

system structure:

(Source: https://www.slideshare.net/kerneltlv/kernel-proc-connector-and-containers )

specific process:

(Source: https://4hou.win/wordpress/?p=29586 )

Figure ncp is Netlink Connector Process, namely the user mode program we need to develop.

Demo

It has been based on Github course of events connectors developed a simple process monitoring program: https://github.com/ggrandes-clones/pmon/blob/master/src/pmon.c , its core function of the following three :

nl_connect: To establish a connection with the kernel
set_proc_ev_listen: Subscribe to the course of events
handle_proc_ev: Handling the course of events

Which performs the process as shown in FIG.

We gcc pmon.c-o pmoncan see the effect of generating an executable program, and then execute the program:

After obtaining the pid, go to /proc/<pid>/the directory For more information you can get under the process.

Conditions of Use

Kernel support Netlink Connector

Version> 2.6.14
Kernel Configuration On: cat/boot/config-$(uname-r)|egrep'CONFIG_CONNECTOR|CONFIG_PROC_EVENTS'

Advantages and disadvantages

advantage

轻量级，在用户态即可获得内核提供的信息。

缺点

仅能获取到 pid ，详细信息需要查 /proc/<pid>/，这就存在时间差，可能有数据丢失。

0x04 Audit

原理

Linux Audit 是 Linux 内核中用来进行审计的组件，可监控系统调用和文件访问，具体架构如下（图片来源：https://slack.engineering/syscall-auditing-at-scale-e6a3ca8ac1b8）：

1.用户通过用户态的管理进程配置规则（例如图中的 go-audit ，也可替换为常用的 auditd ），并通过 Netlink 套接字通知给内核。

2.内核中的 kauditd 通过 Netlink 获取到规则并加载。

3.应用程序在调用系统调用和系统调用返回时都会经过 kauditd ，kauditd 会将这些事件记录下来并通过 Netlink 回传给用户态进程。

4.用户态进程解析事件日志并输出。

Demo

从上面的架构图可知，整个框架分为用户态和内核态两部分，内核空间的 kauditd 是不可变的，用户态的程序是可以定制的，目前最常用的用户态程序就是 auditd ，除此之外知名的 osquery 在底层也是通过与 Audit 交互来获取进程事件的（https://medium.com/palantir/auditing-with-osquery-part-one-introduction-to-the-linux-audit-framework-217967cec406）。下面我们就简单介绍一下如何通过 auditd 来监控进程创建。

首先安装并启动 auditd ：

apt update && apt install auditd
systemctl start auditd && systemctl status auditd

auditd 软件包中含有一个命名行控制程序 auditctl，我们可以通过它在命令行中与 auditd 进行交互，用如下命令创建一个对 execve这个系统调用的监控：

auditctl -a exit,always -F arch=b64 -S execve

再通过 auditd 软件包中的 ausearch来检索 auditd 产生的日志：

ausearch -sc execve | grep /usr/bin/id

整个过程的执行结果如下：

至于其他的使用方法可以通过 man auditd和 man auditctl来查看。

使用条件

内核开启 Audit

cat/boot/config-$(uname-r)|grep^CONFIG_AUDIT

优缺点

优点

组件完善，使用 auditd 软件包中的工具即可满足大部分需求，无需额外开发代码。
相比于 Netlink Connector ，获取的信息更为全面，不仅仅是 pid 。

缺点

性能消耗随着进程数量提升有所上升，需要通过添加白名单等配置来限制其资源占用。

0x05 Syscall hook

上面的 Netlink Connector 和 Audit 都是 Linux 本身提供的监控系统调用的方法，如果我们想拥有更大程度的可定制化，我们就需要通过安装内核模块的方式来对系统调用进行 hook 。

原理

目前常用的 hook 方法是通过修改 sys_call_table（ Linux 系统调用表）来实现，具体原理就是系统在执行系统调用时是通过系统调用号在 sys_call_table中找到相应的函数进行调用，所以只要将 sys_call_table中 execve对应的地址改为我们安装的内核模块中的函数地址即可。

具体的实现细节可参考 YSRC 的这篇关于驭龙 HIDS 如何实现进程监控的文章：https://mp.weixin.qq.com/s/ntE5FNM8UaXQFC5l4iKUUw ，这里贴出文章里的一张图方便大家对整个流程有个直观地了解：

Demo

关于 Syscall hook 的 Demo ，我在 Github 上找了很多 Demo 代码，其中就包括驭龙 HIDS 的 hook 模块，但是这些都无法在我的机器上（ Ubuntu 16.04 Kernel 4.4.0-151-generic ）正常运行，这也就暴露了 Syscall hook 的兼容性问题。

最后我决定使用 Sysdig 来进行演示，Sysdig 是一个开源的系统监控工具，其核心原理是通过内核模块监控系统调用，并将系统调用抽象成事件，用户根据这些事件定制检测规则。作为一个相对成熟的产品，Sysdig 的兼容性做得比较好，所以这里用它来演示，同时也可以方便大家自己进行测试。

具体步骤如下：

1.通过官方的安装脚本进行安装：