Forum Discussion

luevelvet's avatar
luevelvet
Icon for Altocumulus rankAltocumulus
Oct 18, 2022

Logging/Audit Binary Execution?

Hey Everyone,

We're looking to enable logging of binary execution or cli history, much like we can do in Linux using auditd. I've read about support engineers using auditd for troubleshooting purposes and while we can certainly enable auditd rules to catpure binary executions in the auditd logs, I haven't seen anything mention using this on a consistent basis.  

I'm sure some folks are asking, "Why?" but in our testing we found that it is possible for an attacker to copy nmap to the device and from there start scanning the network. We'd also like to log if/when someone launches, say, tcpdump for instance.

I've been playing with this a bit and I can't seem to find anything anywhere that is logging which binaries are being run from the cli, except when we enable specific auditd rules that captures this. This brings up the question of log storage on the device since I've seen a number of posts regarding volumes running out of space due to audit logs growing uncontrolled.

Any advice/discussion/help is certainly appreciated!

  • if you're already familiar with auditd/auditctl rules, that's the way to go for that granular of an experience, but you would definitely want to configure syslog-ng to shoot your custom logging off-box as it will get very chatty; that IO overhead will impact system performance and fill your local disks quickly. Current rules on my 16.1.3 system:

    [root@ltm3:Active:Standalone] rules.d # auditctl -l
    -w /etc/selinux -p wa -k MAC-policy

    Those can be modified (technically, I'd open a support case to inquire about supportability) but understand that any system patch/upgrade would wipe out that system configuration, so you'd need a process to make sure that persists.

    tcpdump executions, however, are always already logged in /var/log/ltm:

    [root@ltm3:Active:Standalone] auditd # cat /var/log/ltm | grep -i tcpdump
    Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.1:2 from 127.1.1.254:41639
    Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
    Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.2:2 from 127.1.1.254:41639
    Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
    Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.1:2 from 127.1.1.254:41639
    Nov 15 15:51:19 ltm3.test.local notice tmm1[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.254:41639

     

  • if you're already familiar with auditd/auditctl rules, that's the way to go for that granular of an experience, but you would definitely want to configure syslog-ng to shoot your custom logging off-box as it will get very chatty; that IO overhead will impact system performance and fill your local disks quickly. Current rules on my 16.1.3 system:

    [root@ltm3:Active:Standalone] rules.d # auditctl -l
    -w /etc/selinux -p wa -k MAC-policy

    Those can be modified (technically, I'd open a support case to inquire about supportability) but understand that any system patch/upgrade would wipe out that system configuration, so you'd need a process to make sure that persists.

    tcpdump executions, however, are always already logged in /var/log/ltm:

    [root@ltm3:Active:Standalone] auditd # cat /var/log/ltm | grep -i tcpdump
    Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.1:2 from 127.1.1.254:41639
    Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
    Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.2:2 from 127.1.1.254:41639
    Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
    Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.1:2 from 127.1.1.254:41639
    Nov 15 15:51:19 ltm3.test.local notice tmm1[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.254:41639

     

  • Hey there - sorry this one fell through the cracks! Just now seeing it pop up again, and made sure JRahm sees it.

  • I haven't find any setting for logging of binary execution/cli history. As this is very good question and should go to review and improvement feature. @JRahm please add your comments. 

    Thanks