Identfy os command injection with auditctl

Question

How to identify which PHP script that executed the exec or shell_exec command.

x.php :-

<?php
echo exec("ls -la");

/etc/audit/rules.d/audit.rules :-

-D
-b 320

-a exit,always -F arch=b64 -F euid=48 -S execve
-a exit,always -F arch=b32 -F euid=48 -S execve

tailf /var/log/audit/audit.log:-

type=SYSCALL msg=audit(1507799176.928:13797470): arch=c000003e syscall=59 success=yes exit=0 a0=7f2ef8c60bc2 a1=7fffa420f210 a2=7fffa4214108 a3=7f2ef90b7240 items=2 ppid=24343 pid=25956 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=475208 comm="sh" exe="/bin/bash" key=(null)
type=EXECVE msg=audit(1507799176.928:13797470): argc=3 a0="sh" a1="-c" a2=6C73202D6C61
type=EXECVE msg=audit(1507799176.928:13797470): argc=3 a0="sh" a1="-c" a2=6C73202D6C61
type=CWD msg=audit(1507799176.928:13797470):  cwd="/home/server/live"
type=PATH msg=audit(1507799176.928:13797470): item=0 name="/bin/sh" inode=141036 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1507799176.928:13797470): item=1 name=(null) inode=657085 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

type=SYSCALL msg=audit(1507799176.929:13797471): arch=c000003e syscall=59 success=yes exit=0 a0=2301930 a1=2300d40 a2=23009f0 a3=18 items=2 ppid=24343 pid=25956 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=475208 comm="ls" exe="/bin/ls" key=(null)
type=EXECVE msg=audit(1507799176.929:13797471): argc=2 a0="ls" a1="-la"
type=CWD msg=audit(1507799176.929:13797471):  cwd="/home/server/live"
type=PATH msg=audit(1507799176.929:13797471): item=0 name="/bin/ls" inode=134035 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

type=PATH msg=audit(1507799176.929:13797471): item=1 name=(null) inode=657085 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

I want the file x.php be printed with the logs to help identfy the source of the command injection.

score 1 · Accepted Answer · answered Oct 12 '17 at 13:51

Upon investigating i found that the rule can be combined by multiple syscall -S for more info the follwoing url can be reffered:-

https://www.digitalocean.com/community/tutorials/how-to-write-custom-system-audit-rules-on-centos-7

the syscall open did the trick once concatenating with the syscall execve the following rule set was obtained:-

/etc/audit/rules.d/audit.rules:-

-a exit,always -F arch=b64 -F euid=501 -S execve -S open 
-a exit,always -F arch=b32 -F euid=501 -S execve -S open
-a exit,always -F arch=b64 -F euid=48 -S execve -S open 
-a exit,always -F arch=b32 -F euid=48 -S execve -S open

Identfy os command injection with auditctl

1 Answers1