Security-Related Queries for Linux
This post has several queries you can run in Sumo to detect potential security issues in your Linux environment.
The queries depend on your distribution of Linux, so you might need to tweak the queries a bit to fit your needs.
A query will return no results if the problem it's looking for does not exist. No results indicates no problem.
Monitor Excessive Failed Sudo Commands
This query helps you identify potential breaches or attacks by monitoring large numbers of failed Sudo commands. Edit your timeslice and threshold to fit your investigation.
_sourceCategory=Labs/OS/linux/security and " user NOT in sudoers"
| parse regex "sudo:\s+(?<src_user>\S+)\s+:\s+user NOT in sudoers" nodrop
| parse "PWD=* ;" as pwd nodrop
| parse "USER=* ; " as dest_user nodrop
| parse "COMMAND=*" as command nodrop
| timeslice 5m
| count src_user, _timeslice
| where _count > 5
Monitor a User’s Logins from Two Different Places (Impossible Travel)
“Impossible travel” refers to the occurrence of multiple logins using the same credentials from geographically distant locations, within an impractical period of time. This can indicate that credentials have been leaked or phished. This query looks for the same credentials being used to log in across multiple geolocations. The time range you choose when running the query is important. For example, logins by the same user from two locations that are 500 miles apart with 10 minutes is a red flag; you need a longer query time range to detect suspicious logins by the same user from two continents.
_sourceCategory=Labs/OS/linux/security and sshd and opened
| parse "Accepted * for * from * port" as method, dest_user, dest_host nodrop
| count dest_user, dest_host
| sort dest_user, dest_host
| "1" as rownum
| total rownum by dest_user
| where _total>20
| fields - _count, rownum
Monitor Users Added to Groups
This query helps you identify activity such as users added to privilege groups in your environment.
_sourceCategory=Labs/OS/linux and groupadd and "new group"
| parse "new group: name=*, GID=*" as dest_group, dest_gid
| formatDate(_messagetime, "dd/MM/yyyy hh:mm:ss") as date
| count date, dest_group, dest_host, process
| fields - _count
| sort date
Please sign in to leave a comment.