Email alert when private keys read from disk (honeypot, auditd)

I'd like to receive an immediate alert every time something reads the contents of my private key on Debian Linux. How can I do that?

I have an RSA private key stored on my server's disk at the following location:

/etc/ssl/private/super-secret.key

It's only readable by root, but I still want to have a log of every time this secret key has been read by a person or a process, and store the context of that read event for alerting and auditing purposes

How can I setup immediate alerting when a very sensitive file has been read from disk?


This can be achieved using the following two tools:

  1. auditd to monitor the file (rather, to tell the kernel to monitor the file's inode) and log all read events to /var/log/audit/audit.log
  2. wazuh (or ossec) to monitor the audit.log file and send an email alert when appropriate

Prereqs

First, install auditd.

sudo apt-get install auditd

Next, install wazuh. If you've never done this before and its only one server, you probably want the "all-in-one" install.

sudo apt-get install wazuh-manager

auditd config

To monitor the file /etc/ssl/private/super-secret.key, add an auditd rule to watch (-w) the file for read access (-p r) -- and give this rule an arbitrary "key" name (-k audit-wazuh-private-key-r) so we can match against it later.

cat > /etc/audit/rules.d/watch_private_keys.rules <<'EOF'
# monitor reads of our private keys for wazuh
-w /etc/ssl/private/super-secret.key -p r -k audit-wazuh-private-key-r
EOF

Restart auditd to apply the rules

systemctl restart auditd
auditctl -l

wazuh config

Add the following lines to your wazuh main config file (/var/ossec/etc/ossec.conf) to enable monitoring of the auditd log file

  <localfile>
    <location>/var/log/audit/audit.log</location>
    <log_format>audit</log_format>
  </localfile>

Add the "key" name of our rule above to the list of auditd keys that wazuh monitors

grep 'audit-wazuh-private-key-r:read' /var/ossec/etc/lists/audit-keys || echo 'audit-wazuh-private-key-r:read' >> /var/ossec/etc/lists/audit-keys

Add the following lines to your wazuh local rules file (/var/ossec/etc/rules/local_rules.xml) to tell wazuh that this event is a level 12 = "high important event" and that it should trigger an email alert

        <rule id="100002" level="12">
                <if_sid>80700</if_sid>
                <match>audit-wazuh-private-key-r</match>
                <options>alert_by_email</options>
                <description>Audit: Watch - Private Key Read</description>
        </rule>

Restart wazuh

systemctl restart wazuh

Now, any attempt to read the contents of the /etc/ssl/private/super-secret.key file will send you an email alert.

See Also

  1. https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/
  2. https://documentation.wazuh.com/4.0/user-manual/capabilities/system-calls-monitoring/audit-configuration.html