0

I'd like to receive an immediate alert every time something reads the contents of my private key on Debian Linux. How can I do that?

I have an RSA private key stored on my server's disk at the following location:

/etc/ssl/private/super-secret.key

It's only readable by root, but I still want to have a log of every time this secret key has been read by a person or a process, and store the context of that read event for alerting and auditing purposes

How can I setup immediate alerting when a very sensitive file has been read from disk?

Michael Altfield
  • 525
  • 6
  • 18
  • 2
    Auditing access to files or directories is described in the *"File System"* paragraph of `man 7 audit.rules`. – anx Dec 13 '20 at 17:29

1 Answers1

1

This can be achieved using the following two tools:

  1. auditd to monitor the file (rather, to tell the kernel to monitor the file's inode) and log all read events to /var/log/audit/audit.log
  2. wazuh (or ossec) to monitor the audit.log file and send an email alert when appropriate

Prereqs

First, install auditd.

sudo apt-get install auditd

Next, install wazuh. If you've never done this before and its only one server, you probably want the "all-in-one" install.

sudo apt-get install wazuh-manager

auditd config

To monitor the file /etc/ssl/private/super-secret.key, add an auditd rule to watch (-w) the file for read access (-p r) -- and give this rule an arbitrary "key" name (-k audit-wazuh-private-key-r) so we can match against it later.

cat > /etc/audit/rules.d/watch_private_keys.rules <<'EOF'
# monitor reads of our private keys for wazuh
-w /etc/ssl/private/super-secret.key -p r -k audit-wazuh-private-key-r
EOF

Restart auditd to apply the rules

systemctl restart auditd
auditctl -l

wazuh config

Add the following lines to your wazuh main config file (/var/ossec/etc/ossec.conf) to enable monitoring of the auditd log file

  <localfile>
    <location>/var/log/audit/audit.log</location>
    <log_format>audit</log_format>
  </localfile>

Add the "key" name of our rule above to the list of auditd keys that wazuh monitors

grep 'audit-wazuh-private-key-r:read' /var/ossec/etc/lists/audit-keys || echo 'audit-wazuh-private-key-r:read' >> /var/ossec/etc/lists/audit-keys

Add the following lines to your wazuh local rules file (/var/ossec/etc/rules/local_rules.xml) to tell wazuh that this event is a level 12 = "high important event" and that it should trigger an email alert

        <rule id="100002" level="12">
                <if_sid>80700</if_sid>
                <match>audit-wazuh-private-key-r</match>
                <options>alert_by_email</options>
                <description>Audit: Watch - Private Key Read</description>
        </rule>

Restart wazuh

systemctl restart wazuh

Now, any attempt to read the contents of the /etc/ssl/private/super-secret.key file will send you an email alert.

See Also

  1. https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/
  2. https://documentation.wazuh.com/4.0/user-manual/capabilities/system-calls-monitoring/audit-configuration.html
Michael Altfield
  • 525
  • 6
  • 18