IBM Security QRadar

 View Only
  • 1.  Identify Linux interactive Logons

    Posted Fri November 18, 2022 02:13 AM
    Good Morning to IBM Security QRadar Group. Does anybody has any idea how to discover interactive logons on Linux Systems? The Usecase is to find out if someone trys to use an account (for example a service account) and tries to login with this account. I am looking for something that is send by windows with logon Type 2 "Interactive (logon at keyboard and screen of system)" for Linux. Greetings from Austria Martin

    ------------------------------
    Martin Schmitt
    ------------------------------


  • 2.  RE: Identify Linux interactive Logons

    Posted 26 days ago
    Hi Martin, 

    I am having a similar issue with a new environment added to qradar. 

    Did you manage to run a successful search for interactive logons, from Linux?

    I am seeing some event with the title:
    Linux login messages Message.

    Many thanks for any help or advice. 

    Best regards, 
    Anthony

    ------------------------------
    Anthony Sharma
    ------------------------------



  • 3.  RE: Identify Linux interactive Logons

    Posted 25 days ago
    Hi Anthony,

    i did not find something that satisfied me yet. I had a look into the Linux login messages and as far as i remember those are more or less the ones getting "parsed a little bit" something like the res bucke ;-). If you find out something let me know and i will also do so. 

    We reduced the usecase to the Windows logs where it is easy and rules also exist. 

    Best regards,
    Martin

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 4.  RE: Identify Linux interactive Logons

    IBM Champion
    Posted 25 days ago
    Linux auditing for this is very difficult.  The use of auditd helps somewhat, particularly with CIS or STIG enhancements.  What I do is to search for the ssh sessions like like these:
    Jan 12 09:03:49  myhost sshd[17163]: keyboard-interactive/pam for frank from 9.9.90.91 port 55362 ssh2
    Jan 12 09:08:52 myhost sshd[7936]: Accepted publickey for root from 9.9.90.91 port 49260 ssh2: RSA SHA256:blahblah

    There really is no difference as far as I can tell between the shared sessions and the keyboard interactive from an auditing standpoint.  I use a BB to tag those.

    Gladys Koskas shared some roots of work she did to track the user's activities once they sudo.  It involves putting the users PID into a reference set and tracking the spawned processes.  It puts a LOT of load on QR when there are a lot of log sources with lots of activity.  

    For something used so much, why is the auditing so BAD???  

    P.S.  There are some 3rd party solutions like snoopy, etc.

    ------------------------------
    Frank Eargle
    ------------------------------



  • 5.  RE: Identify Linux interactive Logons

    Posted 20 days ago
    If you find it let us know ;-)

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 6.  RE: Identify Linux interactive Logons

    Posted 19 days ago
    Edited by Laszlo Zrubecz 19 days ago
    Hi, 
    There are many things need to be define properly first:

    "interactive logons"
    on windows, where Logon Type = 2 this means a real physical login with an attached keyboard.

    on Linux even SSH is using the "interactive logon" phrase, but it means password authentication instead. While the logon is really a remote logon.

    "service account"
    On windows this is a thing.
    On Linux, there is no such thing as "service account"

    Once you defined what you are really looking for, on Linux you need the Audit Logs - which is equivalent to the Microsoft Security Event Logs.
    Here is one sample event aboot an SSH login:
    <182>1 2023-01-18T15:00:45.863150+00:00 centos-8 audispd 25516 - - type=USER_LOGIN msg=audit(1674054045.862:4002): pid=85816 uid=0 auid=0 ses=28 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=10.172.16.2 terminal=/dev/pts/0 res=success' UID="root" AUID="root" ID="root"
    Where the important custom properties would be:
    • type=USER_LOGIN
    • terminal=/dev/pts/0
    • ID="root"
    • res=success
    From this the terminal can tell you if it is a real "logon at keyboard and screen of system" (Logon Type = 2 on windows) or a remote session.

    This article may help decide by terminal names:
    https://www.golinuxcloud.com/difference-between-pty-vs-tty-vs-pts-linux/
    https://unix.stackexchange.com/questions/21280/difference-between-pts-and-tty

    Using these information, you can create a rule triggering for what you really need...

    You can read more about User Login auditing on Linux:
    https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events

    ------------------------------
    Laszlo Zrubecz
    ------------------------------