Honeypots are all the rage with them being a fantastic tool to quickly identify malicious activity from usual system activity. There are many kinds of honeypots, including honeypot ports (honeyports) and even entire honey networks (honeynet), however the one I want to talk about is honeypot files (honeyfiles).

Honeyfiles are files that can be placed on a filesystem that are designed to look entising, and when accessed trigger an auditd rule to let you know. An example could be putting a file called โ€œpasswords.txtโ€ on the filesystem. Any attacker that gains access to the system is likely to want to know what that file contains.

We can start by creating some random files to put around the filesystem

dd if=/dev/urandom of=/SQLBackup-2017-11-24.gzip bs=120334KB count=1 iflag=fullblock
dd if=/dev/urandom of=/root/passwords_encrypted.txt bs=334KB count=1 iflag=fullblock
dd if=/dev/urandom of=/opt/apache-db-preupgrade.db bs=162334KB count=1 iflag=fullblock

The content of the files donโ€™t matter, even touching the files will be enough to trigger an alert. However, providing some legitimate but useless data may servce to wase the time of the attacker, giving you more time to repond.

Next we need to ensure that auditd is installed and running, on CentOS this would be done through the following commands:

yum install audit
systemctl enable auditd
systemctl start auditd

Next we create our custom rule files in auditd

root@ironmoon ~ # vim /etc/audit/rules.d/70-honeyfiles.rules
-w /SQLBackup-2017-11-24.gzip -p wra -k HONEYFILE_ACCESSS
-w /root/passwords_encrypted.txt -p wra -k HONEYFILE_ACCESSS
-w /opt/apache-db-preupgrade.db -p wra -k HONEYFILE_ACCESSS

In these rules โ€œ-wโ€ means file followed by the filepath, and โ€œ-p wraโ€ means trigger on file read, write, or attribute change. With the rule created we just need to make sure its imported and auditd reloads the configuration.

root@ironmoon ~ # augenrules
root@ironmoon ~ # pkill -HUP -P 1 auditd

Now when we even access the files we will get a triggered alert

root@ironmoon / # aureport -f

File Report
# date time file syscall success exe auid event
1. 19/05/18 23:32:35 passwords_encrypted.txt 191 no /usr/bin/ls 1000 337
2. 19/05/18 23:32:41 passwords_encrypted.txt 192 yes /usr/bin/stat 1000 340
3. 19/05/18 23:36:17 passwords_encrypted.txt 191 no /usr/bin/ls 1000 341
4. 19/05/18 23:36:21 SQLBackup-2017-11-24.gzip 191 no /usr/bin/ls 1000 342
5. 19/05/18 23:38:26 SQLBackup-2017-11-24.gzip 191 no /usr/bin/ls 1000 343
6. 19/05/18 23:38:26 SQLBackup-2017-11-24.gzip 192 yes /usr/bin/ls 1000 344
7. 19/05/18 23:38:26 SQLBackup-2017-11-24.gzip 191 no /usr/bin/ls 1000 345
8. 19/05/18 23:38:26 SQLBackup-2017-11-24.gzip 191 no /usr/bin/ls 1000 346

This allows us to see all the access to those files, but you may notice that you will recieve information about ALL access, including simply grabbing info about the file from the ls command, as a result some filtering is required.

Now when its collected at a network loging server you can set up alerts whenever any access to the file is attempted. If we wanted the auditd logs to be forwared to syslog to be included in system logs, you can do that with the following setting

root@ironmoon ~ # vim /etc/audisp/plugins.d/syslog.conf
active = yes