I did not install the corresponding patched binaries of the corresponding rootkits, just some self-compiled fake modules which do nothing. Even if rootkits would be recognised by the occurrence of the installed patched binaries (netstat, ps, ls, lsmod, ... and friends) and Wazuh would recognise them by FIM checks, it is notwithstanding a good idea also to check for the existence the of loaded kernel modules triggering an alert on specific loaded modules.
User Acceptance Criteria
Check also for loaded kernel modules filtering for the names of the well known rootkit kernel modules
Do not use the lsmod binary for the examination since it could be replaced by the rootkit hiding its own kenel module, use /proc/modules itself.
generate an alert if one of the modules is loaded
Side Note
For testing with fake kernel modules you might consult this web page
Solution Suggestion
I implemented a solution which works and I detected in this connection a bug with CDB-lists.
Add this to agent's ossec.conf. The logger pipes the output into into syslog. I do not use the <full_command> tag for it generating syscheck events which aren't fully parsable as regular events:
3. Here the rule, it generates `level 12` alerts if a `rootkit` kernel module is loaded. I used `CDB lists` with the blacklisted `rootkit` kernel modules which works impeccable with the `ossec-logtest` tool but not in real live (see bug report #1774). I replaced it by the enumeration of the `ROOTKIT_LKM` variable and the `match` tag which works in live. Since it is a `level 12` rule it should send an e-mail if a `rootkit` kernel module is present which works with the `<match>` but **NOT** with the `<list field="abc">` tag. Now, the rule:
```XML
<group name="kmod,">
<var name="ROOTKIT_LKM">adore|afhrm|bkit_adore|cleaner|diamorphine|flkm|itf|kis|knark|kstat|modhide|mod_klgr|p2|phide_mod|Rial|strings|Synapsis|rootkit|rpldev|vlogger|wkmr26|xC</var>
<rule id="112000" level="0">
<category>ossec</category>
<decoded_as>kmod-detect</decoded_as>
<description>Grouping of loaded kernel rules.</description>
</rule>
<rule id="112001" level="12">
<if_sid>112000</if_sid>
<!-- <list field="module" lookup="match_key">etc/lists/rootkit/linux-rootkit-lkm</list> -->
<match>$ROOTKIT_LKM</match>
<description>Loaded kernel rootkit module found!</description>
</rule>
</group>
And yes, feedback about how the decoder and the rule is written is highly welcome!
First, sorry for the late answer.
These rules are very interesting. If you want to contribute with our repository you can create PR with your rules and decoders.
Feature Request
Description
I compiled and installed the following fake rootkit kernel modules on a test agent:
I did not install the corresponding patched binaries of the corresponding rootkits, just some self-compiled fake modules which do nothing. Even if rootkits would be recognised by the occurrence of the installed patched binaries (
netstat, ps, ls, lsmod, ...
and friends) and Wazuh would recognise them by FIM checks, it is notwithstanding a good idea also to check for the existence the of loaded kernel modules triggering an alert on specific loaded modules.User Acceptance Criteria
lsmod
binary for the examination since it could be replaced by the rootkit hiding its own kenel module, use/proc/modules
itself.Side Note
For testing with fake kernel modules you might consult this web page
Solution Suggestion
I implemented a solution which works and I detected in this connection a bug with CDB-lists.
ossec.conf
. The logger pipes the output into intosyslog
. I do not use the<full_command>
tag for it generatingsyscheck
events which aren't fully parsable as regular events:decoder
for that specific events (it's my first self-written decoder, feedback would be appreciated if there is optimisation potential):And yes, feedback about how the decoder and the rule is written is highly welcome!