Home / server / Questions / 1046021
Accepted
Michael Altfield
Asked: 2020-12-14 08:47:22 +0800 CST

Email alert when private keys read from disk (honeypot, auditd)

  • 772

I'd like to receive an immediate alert every time something reads the contents of my private key on Debian Linux. How can I do that?

I have an RSA private key stored on my server's disk at the following location:

/etc/ssl/private/super-secret.key

It's only readable by root, but I still want to have a log of every time this secret key has been read by a person or a process, and store the context of that read event for alerting and auditing purposes

How can I setup immediate alerting when a very sensitive file has been read from disk?

linux security https auditd alerting

1 Answers

  1. Best Answer

    This can be achieved using the following two tools:

    1. auditd to monitor the file (rather, to tell the kernel to monitor the file's inode) and log all read events to /var/log/audit/audit.log
    2. wazuh (or ossec) to monitor the audit.log file and send an email alert when appropriate

    Prereqs

    First, install auditd.

    sudo apt-get install auditd

    Next, install wazuh. If you've never done this before and its only one server, you probably want the "all-in-one" install.

    sudo apt-get install wazuh-manager

    auditd config

    To monitor the file /etc/ssl/private/super-secret.key, add an auditd rule to watch (-w) the file for read access (-p r) -- and give this rule an arbitrary "key" name (-k audit-wazuh-private-key-r) so we can match against it later.

    cat > /etc/audit/rules.d/watch_private_keys.rules <<'EOF'
# monitor reads of our private keys for wazuh
-w /etc/ssl/private/super-secret.key -p r -k audit-wazuh-private-key-r
EOF

    Restart auditd to apply the rules

    systemctl restart auditd
auditctl -l

    wazuh config

    Add the following lines to your wazuh main config file (/var/ossec/etc/ossec.conf) to enable monitoring of the auditd log file

      <localfile>
    <location>/var/log/audit/audit.log</location>
    <log_format>audit</log_format>
  </localfile>

    Add the "key" name of our rule above to the list of auditd keys that wazuh monitors

    grep 'audit-wazuh-private-key-r:read' /var/ossec/etc/lists/audit-keys || echo 'audit-wazuh-private-key-r:read' >> /var/ossec/etc/lists/audit-keys

    Add the following lines to your wazuh local rules file (/var/ossec/etc/rules/local_rules.xml) to tell wazuh that this event is a level 12 = "high important event" and that it should trigger an email alert

            <rule id="100002" level="12">
                <if_sid>80700</if_sid>
                <match>audit-wazuh-private-key-r</match>
                <options>alert_by_email</options>
                <description>Audit: Watch - Private Key Read</description>
        </rule>

    Restart wazuh

    systemctl restart wazuh

    Now, any attempt to read the contents of the /etc/ssl/private/super-secret.key file will send you an email alert.

    See Also

    1. https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/
    2. https://documentation.wazuh.com/4.0/user-manual/capabilities/system-calls-monitoring/audit-configuration.html
    • 1