QLean for IBM Security www.scnsoft.com QRadar SIEM: Admin Guide MITRE ATT&CK for Linux Platforms ADMIN GUIDE © 2020 ScienceSoft| Page 1 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Table of Contents Overview.....................................................................................................................................3 Supported Versions ...................................................................................................................4 Extension Installation ................................................................................................................5 Downloading Extension ............................................................................................................... 5 Installing Extension ..................................................................................................................... 5 Overview.....................................................................................................................................6 Rules overview ........................................................................................................................... 6 Rules structure ........................................................................................................................... 7 Prerequisites ..............................................................................................................................9 Configuring rsyslog ................................................................................................................... 10 Configuring auditd ..................................................................................................................... 11 Usage........................................................................................................................................12 Enable rules ............................................................................................................................. 12 Add legitimate Linux users ......................................................................................................... 12 Troubleshooting .......................................................................................................................14 Appendix A: Release notes......................................................................................................15 1.0.0 ................................................................................................................................... 15 Appendix B: Custom Properties ..............................................................................................16 Appendix C: Custom Rules......................................................................................................17 © 2020 ScienceSoft | Page 2 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Overview Linux MITRE ATT&CK tactics from ScienceSoft are based on auditd logs provided by properly configured auditing component. Auditd is a userspace component to the UNIX Auditing System (Audit Daemon) that provides a user with a security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes auditd configuration steps that are to be performed in order for those rules to work. The rules logic is simple and straight forward, and relies mostly on the auditd configuration. While massively tested and tuned, Linux MITRE ATT&CK rules are disabled by default in order to prevent potential false-positives on production SIEM environment, so make sure to enable them after the auditd configuration is done. IMPORTANT: This complimentary content pack is a part of thea full set of Linux MITRE rules developed by ScienceSoft. You can request the full set of the rules as a commercial product including professional services support for auditd configuration and troubleshooting at [email protected]. © 2020 ScienceSoft | Page 3 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Supported Versions Supported QRadar versions are: • 7.3.0 GA and higher NOTE: this content pack is developed by ScienceSoft Inc. and is not supported by IBM. You can request your own QRadar content pack to be developed via the following email address: [email protected]. © 2020 ScienceSoft | Page 4 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Extension Installation This rules content pack is distributed as a QRadar extension. In order to install this extension please follow the steps below. Downloading Extension • Go to https://exchange.xforce.ibmcloud.com/hub • Login using your IBMid • Filter by Type: Custom Rule • Select MITRE ATT&CK for Linux Platforms extension • Click Download button at the top right corner • Save the extension zip file Installing Extension • Login to QRadar UI • Go to Admin tab • Open Extensions Management • Click Add button • Select Install immediately checkbox, click Browse button, locate the extension file downloaded from IBM App Exchange and click Add button • Confirm all the steps and wait for installation to finish. This may take a while. • Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI. • Deploy changes if asked by QRadar © 2020 ScienceSoft | Page 5 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Overview Rules overview To get the list of MITRE rules please follow the steps below. • Go to Offense tab • Click Rules link • Click Group drop-down and select MITRE group. By default all rules are disabled. © 2020 ScienceSoft | Page 6 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Rules structure Click any MITRE group rule for more details. IMPORTANT: In order to make MITRE rules to trigger you must configure auditd for every rule you are interested in. The Notes section of every rule contains a detailed auditd configuration to be performed. IMPORTANT: please scroll down the Notes section to review the whole configuration guide for the rule. Press Next (3) button to check Rule Response part. © 2020 ScienceSoft | Page 7 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide This wizard page shows you the CRE event that will be generated when the rule triggers. Event Name field contains the unique id and the name of MITRE tactic. Event Description field contains a short description and a link to this particular tactic at mitre.org © 2020 ScienceSoft | Page 8 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Prerequisites Following software versions are required for proper configuration of audit settings and forwarding to QRadar: • audit-1.8.x or higher • rsyslog5-5.8.x or higher Execute following commands to verify versions: For Redhat based distros: # rpm -qa | grep audit # rpm -qa | grep rsyslog Debian based distros: # dpkg -l auditd # dpkg -l rsyslog If rsyslog is not installed on your system, perform following steps: 1. Execute commands: a) For Redhat/Centos 5.x, 6.x and 7.x # yum install rsyslog # chkconfig syslog off # chkconfig rsyslog on # service syslog stop # chmod 600 /etc/audisp/plugins.d/syslog.conf b) For Redhat/Centos/Oracle Linux 8.x ##rsyslog should be already installed, ##if not – type command: ‘yum install rsyslog’ # yum install audispd-plugins c) For Debian/Ubuntu: # apt install rsyslog # apt install audispd-plugins 2. Disable compatibility mode by editing configuration file: a) For Redhat based distros: # vi /etc/sysconfig/rsyslog b) For Debian based distros: # vi /etc/default/rsyslog 3. Insert the following line to the top of the configuration: SYSLOGD_OPTIONS="-c5" 4. Restart rsyslog daemon # service rsyslog restart © 2020 ScienceSoft | Page 9 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Configuring rsyslog Linux Audit Framework (LAF) produces a massive amount of audit events and might greatly affect QRadar EPS license. Advanced LAF audit events filtering allows you to skip the messages that are not involved in QRadar correlation rules. For Redhat/Debian based distros: Add the following lines to /etc/rsyslog.d/audit.conf ################### BEGIN ################## # Advanced Rsyslog audit template for SIEM # ############################################ # This template is used for filtering LAF messages to SIEM solution $EscapeControlCharactersOnReceive off # Logging template: LAF (make sure is a single line!) $template t_os,"<%pri%>%timegenerated% os-%hostname% msg=%msg:::drop-last-lf%\n" # Filtered LAF audit messages # ATTENTION: Filtering requires 'auditd' configuration and # '/etc/audit/audit.rules' configuration baseline # with specific key - 'siem' # See more details in the documentation provided :msg,contains,"key=\"siem-" @@<QRADAR_IP>;t_os & ~ :msg,contains,"type=EXECVE" @@<QRADAR_IP>;t_os & ~ :msg,contains,"type=DAEMON_" @@<QRADAR_IP>;t_os & ~ :msg,contains,"type=USER_" @@<QRADAR_IP>;t_os & ~ :msg,contains,"type=ADD_" @@<QRADAR_IP>;t_os & ~ :msg,contains,"type=DEL_" @@<QRADAR_IP>;t_os & ~ ############################ END ########################## where <QRADAR_IP> is the IP address of QRadar Event Collector/Processor. Save and restart rsyslog using the following command: service rsyslog restart © 2020 ScienceSoft | Page 10 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide Configuring auditd Most of the rules provided with this content pack require auditd