Email alert when private keys read from disk (honeypot, auditd)
I'd like to receive an immediate alert every time something reads the contents of my private key on Debian Linux. How can I do that?
I have an RSA private key stored on my server's disk at the following location:
/etc/ssl/private/super-secret.key
It's only readable by root, but I still want to have a log of every time this secret key has been read by a person or a process, and store the context of that read event for alerting and auditing purposes
How can I setup immediate alerting when a very sensitive file has been read from disk?
This can be achieved using the following two tools:
-
auditd to monitor the file (rather, to tell the kernel to monitor the file's inode) and log all read events to
/var/log/audit/audit.log
-
wazuh (or ossec) to monitor the
audit.log
file and send an email alert when appropriate
Prereqs
First, install auditd.
sudo apt-get install auditd
Next, install wazuh. If you've never done this before and its only one server, you probably want the "all-in-one" install.
sudo apt-get install wazuh-manager
auditd config
To monitor the file /etc/ssl/private/super-secret.key
, add an auditd rule to watch (-w
) the file for read access (-p r
) -- and give this rule an arbitrary "key" name (-k audit-wazuh-private-key-r
) so we can match against it later.
cat > /etc/audit/rules.d/watch_private_keys.rules <<'EOF'
# monitor reads of our private keys for wazuh
-w /etc/ssl/private/super-secret.key -p r -k audit-wazuh-private-key-r
EOF
Restart auditd to apply the rules
systemctl restart auditd
auditctl -l
wazuh config
Add the following lines to your wazuh main config file (/var/ossec/etc/ossec.conf
) to enable monitoring of the auditd log file
<localfile>
<location>/var/log/audit/audit.log</location>
<log_format>audit</log_format>
</localfile>
Add the "key" name of our rule above to the list of auditd keys that wazuh monitors
grep 'audit-wazuh-private-key-r:read' /var/ossec/etc/lists/audit-keys || echo 'audit-wazuh-private-key-r:read' >> /var/ossec/etc/lists/audit-keys
Add the following lines to your wazuh local rules file (/var/ossec/etc/rules/local_rules.xml
) to tell wazuh that this event is a level 12 = "high important event" and that it should trigger an email alert
<rule id="100002" level="12">
<if_sid>80700</if_sid>
<match>audit-wazuh-private-key-r</match>
<options>alert_by_email</options>
<description>Audit: Watch - Private Key Read</description>
</rule>
Restart wazuh
systemctl restart wazuh
Now, any attempt to read the contents of the /etc/ssl/private/super-secret.key
file will send you an email alert.
See Also
- https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/
- https://documentation.wazuh.com/4.0/user-manual/capabilities/system-calls-monitoring/audit-configuration.html