IBM QRadar

Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

------------------------------
Martin Schmitt
------------------------------

Hi Martin, 

I am having a similar issue with a new environment added to qradar. 

Did you manage to run a successful search for interactive logons, from Linux?

I am seeing some event with the title:
Linux login messages Message.

Many thanks for any help or advice. 

Best regards, 
Anthony

------------------------------
Anthony Sharma
------------------------------

Original Message:
Sent: Fri November 18, 2022 02:12 AM
From: Martin Schmitt
Subject: Identify Linux interactive Logons

Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

------------------------------
Martin Schmitt
------------------------------

Hi Anthony,

i did not find something that satisfied me yet. I had a look into the Linux login messages and as far as i remember those are more or less the ones getting "parsed a little bit" something like the res bucke ;-). If you find out something let me know and i will also do so. 

We reduced the usecase to the Windows logs where it is easy and rules also exist. 

Best regards,
Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Wed January 11, 2023 09:48 AM
From: Anthony Sharma
Subject: Identify Linux interactive Logons

Hi Martin, 

I am having a similar issue with a new environment added to qradar. 

Did you manage to run a successful search for interactive logons, from Linux?

I am seeing some event with the title:
Linux login messages Message.

Many thanks for any help or advice. 

Best regards, 
Anthony

------------------------------
Anthony Sharma

Original Message:
Sent: Fri November 18, 2022 02:12 AM
From: Martin Schmitt
Subject: Identify Linux interactive Logons

Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

------------------------------
Martin Schmitt
------------------------------

Linux auditing for this is very difficult.  The use of auditd helps somewhat, particularly with CIS or STIG enhancements.  What I do is to search for the ssh sessions like like these:
Jan 12 09:03:49  myhost sshd[17163]: keyboard-interactive/pam for frank from 9.9.90.91 port 55362 ssh2
Jan 12 09:08:52 myhost sshd[7936]: Accepted publickey for root from 9.9.90.91 port 49260 ssh2: RSA SHA256:blahblah

There really is no difference as far as I can tell between the shared sessions and the keyboard interactive from an auditing standpoint.  I use a BB to tag those.

Gladys Koskas shared some roots of work she did to track the user's activities once they sudo.  It involves putting the users PID into a reference set and tracking the spawned processes.  It puts a LOT of load on QR when there are a lot of log sources with lots of activity.  

For something used so much, why is the auditing so BAD???  

P.S.  There are some 3rd party solutions like snoopy, etc.

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Wed January 11, 2023 09:48 AM
From: Anthony Sharma
Subject: Identify Linux interactive Logons

Hi Martin, 

I am having a similar issue with a new environment added to qradar. 

Did you manage to run a successful search for interactive logons, from Linux?

I am seeing some event with the title:
Linux login messages Message.

Many thanks for any help or advice. 

Best regards, 
Anthony

------------------------------
Anthony Sharma

Original Message:
Sent: Fri November 18, 2022 02:12 AM
From: Martin Schmitt
Subject: Identify Linux interactive Logons

Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

------------------------------
Martin Schmitt
------------------------------

If you find it let us know ;-)

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Thu January 12, 2023 09:20 AM
From: Frank Eargle
Subject: Identify Linux interactive Logons

Linux auditing for this is very difficult.  The use of auditd helps somewhat, particularly with CIS or STIG enhancements.  What I do is to search for the ssh sessions like like these:
Jan 12 09:03:49  myhost sshd[17163]: keyboard-interactive/pam for frank from 9.9.90.91 port 55362 ssh2
Jan 12 09:08:52 myhost sshd[7936]: Accepted publickey for root from 9.9.90.91 port 49260 ssh2: RSA SHA256:blahblah

There really is no difference as far as I can tell between the shared sessions and the keyboard interactive from an auditing standpoint.  I use a BB to tag those.

Gladys Koskas shared some roots of work she did to track the user's activities once they sudo.  It involves putting the users PID into a reference set and tracking the spawned processes.  It puts a LOT of load on QR when there are a lot of log sources with lots of activity.  

For something used so much, why is the auditing so BAD???  

P.S.  There are some 3rd party solutions like snoopy, etc.

------------------------------
Frank Eargle

Original Message:
Sent: Wed January 11, 2023 09:48 AM
From: Anthony Sharma
Subject: Identify Linux interactive Logons

Hi Martin, 

I am having a similar issue with a new environment added to qradar. 

Did you manage to run a successful search for interactive logons, from Linux?

I am seeing some event with the title:
Linux login messages Message.

Many thanks for any help or advice. 

Best regards, 
Anthony

------------------------------
Anthony Sharma

Original Message:
Sent: Fri November 18, 2022 02:12 AM
From: Martin Schmitt
Subject: Identify Linux interactive Logons

Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

------------------------------
Martin Schmitt
------------------------------

Hi, 
There are many things need to be define properly first:

"interactive logons"
on windows, where Logon Type = 2 this means a real physical login with an attached keyboard.

on Linux even SSH is using the "interactive logon" phrase, but it means password authentication instead. While the logon is really a remote logon.

"service account"
On windows this is a thing.
On Linux, there is no such thing as "service account"

Once you defined what you are really looking for, on Linux you need the Audit Logs - which is equivalent to the Microsoft Security Event Logs.
Here is one sample event aboot an SSH login:

<182>1 2023-01-18T15:00:45.863150+00:00 centos-8 audispd 25516 - - type=USER_LOGIN msg=audit(1674054045.862:4002): pid=85816 uid=0 auid=0 ses=28 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=10.172.16.2 terminal=/dev/pts/0 res=success' UID="root" AUID="root" ID="root"

Where the important custom properties would be:

• type=USER_LOGIN
• terminal=/dev/pts/0
• ID="root"
• res=success

From this the terminal can tell you if it is a real "logon at keyboard and screen of system" (Logon Type = 2 on windows) or a remote session.

This article may help decide by terminal names:
https://www.golinuxcloud.com/difference-between-pty-vs-tty-vs-pts-linux/
https://unix.stackexchange.com/questions/21280/difference-between-pts-and-tty

Using these information, you can create a rule triggering for what you really need...

You can read more about User Login auditing on Linux:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events

------------------------------
Laszlo Zrubecz
------------------------------

Original Message:
Sent: Fri November 18, 2022 02:12 AM
From: Martin Schmitt
Subject: Identify Linux interactive Logons

Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

------------------------------
Martin Schmitt
------------------------------