Microsoft has released a Linux version of the very popular Sysmon system monitoring tool for Windows, allowing Linux administrators to monitor devices for malicious activity.
For those unfamiliar with Sysmon (aka System Monitor), it is a Sysinternals tool that monitors a malicious activity system and then logs any recorded behavior in system logs.
Sysmon’s versatility comes from the ability to create custom configuration files that administrators can use to monitor specific system events that may indicate malicious activity on the system.
Sysmon is ported to Linux
Today, Microsoft’s Mark Russinovich and one of the founders of Sysinternals utility suite announced that Microsoft had released Sysmon for Linux as an open source project on GitHub.
Unlike Sysmon for Windows, Linux users must compile the program themselves and ensure that they have all the necessary dependencies, with instructions on the project’s GitHub page.
It is important to note that to compile Sysmon, you must first install the SysinternalsEBPF project as well.
Once Sysmon is compiled, you can view a help file by typing
sudo ./sysmon -h, as shown in the screenshot below.
To use the program, you must first accept the end user license agreement with the following command:
sudo ./sysmon -accepteula
You can then start Sysmon with or without a configuration file using one of the following commands:
Without configuration file: sudo ./sysmon -i With configuration file: sudo ./sysmon -i CONFIG_FILE
To create your own Sysmon configuration file you will need
./sysmon -s command to view the current version configuration chart and see which directives are available.
To learn more about creating a Sysmon configuration file, see the official documentation or use the SwiftOnSecurity template as an example.
Once started, Sysmon will start logging events
/var/log/syslog file. If you have not specified a configuration file to restrict what to log, you will find that your syslog file grows rapidly as new processes start and end.
For example, in the screenshot below you can see an event showing the ‘adduser’ command exiting after I used it to create a new user.
To make it easier to filter the logs for specific events, you can use sysmonLogView tool to view the events you are looking for.
The current event IDs that Sysmon for Linux can log on to are listed below:
- 1: SYSMONEVENT_CREATE_PROCESS
- 2: SYSMONEVENT_FILE_TIME
- 3: SYSMONEVENT_NETWORK_CONNECT
- 4: SYSMONEVENT_SERVICE_STATE_CHANGE
- 5: SYSMONEVENT_PROCESS_TERMINATE
- 6: SYSMONEVENT_DRIVER_LOAD
- 7: SYSMONEVENT_IMAGE_LOAD
- 8: SYSMONEVENT_CREATE_REMOTE_THREAD
- 9: SYSMONEVENT_RAWACCESS_READ
- 10: SYSMONEVENT_ACCESS_PROCESS
- 11: SYSMONEVENT_FILE_CREATE
- 12: SYSMONEVENT_REG_KEY
- 13: SYSMONEVENT_REG_SETVALUE
- 14: SYSMONEVENT_REG_NAME
- 15: SYSMONEVENT_FILE_CREATE_STREAM_HASH
- 16: SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
- 17: SYSMONEVENT_CREATE_NAMEDPIPE
- 18: SYSMONEVENT_CONNECT_NAMEDPIPE
- 19: SYSMONEVENT_WMI_FILTER
- 20: SYSMONEVENT_WMI_CONSUMER
- 21: SYSMONEVENT_WMI_BINDING
- 22: SYSMONEVENT_DNS_QUERY
- 23: SYSMONEVENT_FILE_DELETE
- 24: SYSMONEVENT_CLIPBOARD
- 25: SYSMONEVENT_PROCESS_IMAGE_TAMPERING
- 26: SYSMONEVENT_FILE_DELETE_DETECTED
- 255: SYSMONEVENT_ERROR
As you can see, many of these events do not apply to Linux, e.g. Registry or WMI events, so you will need to adjust your configuration accordingly.
Sysmon is a powerful tool that is widely used in Windows environments as part of an organization’s security toolbox.
With the addition of Linux, a whole new segment of system administrators can use it to provide free system monitoring for malicious activity.