Microsoft has released a Linux version of the popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity.
For those unfamiliar with Sysmon (aka System Monitor), this is a Sysinternals tool that monitors a system for malicious activity and then records any behavior detected in the system log files.
Sysmon’s versatility comes from the ability to create custom configuration files that administrators can use to monitor specific system events that may indicate malicious activity is occurring on the system.
Sysmon ported to Linux
Today, Microsoft’s Mark Russinovich and co-founder of the Sysinternals utility suite, announced that Microsoft has released Sysmon for Linux as an open source project on GitHub.
Unlike Sysmon for Windows, Linux users will need to compile the program themselves and make sure they have all the required dependencies, with instructions provided on the project’s GitHub page.
It is important to note that in order to compile Sysmon, you must first also install the SysinternalsEBPF project.
After Sysmon has been compiled, you can see a help file by typing
sudo ./sysmon -h, as shown in the screenshot below.
To use the program, you must first accept the End User License Agreement with the following command:
sudo ./sysmon -accepteula
Then you can start Sysmon with or without a configuration file using one of the following commands:
Without configuration file: sudo ./sysmon -i With configuration file: sudo ./sysmon -i CONFIG_FILE
To create your own Sysmon configuration file, you will need to use
./sysmon -s to view the configuration diagram for the current version and see which directives are available.
To learn more about creating a Sysmon configuration file, you can check the official documentation or use the template from SwiftOnSecurity as an example.
Once started, Sysmon will begin recording events on the
/var/log/syslog to file. If you haven’t specified a configuration file to restrict what is logged, you will find that your syslog file grows rapidly as new processes are started and terminated.
For example, in the screenshot below you can see an event showing that the ‘adduser’ command ends after I used it to create a new user.
To make it easier to filter specific event logs, you can use the sysmonLogView utility to display the events you are looking for.
The current event IDs that Sysmon for Linux is able to log are listed below:
- 1: SYSMONEVENT_CREATE_PROCESS
- 2: SYSMONEVENT_FILE_TIME
- 3: SYSMONEVENT_NETWORK_CONNECT
- 4: SYSMONEVENT_SERVICE_STATE_CHANGE
- 5: SYSMONEVENT_PROCESS_TERMINATE
- 6: SYSMONEVENT_DRIVER_LOAD
- 7: SYSMONEVENT_IMAGE_LOAD
- 8: SYSMONEVENT_CREATE_REMOTE_THREAD
- 9: SYSMONEVENT_RAWACCESS_READ
- 10: SYSMONEVENT_ACCESS_PROCESS
- 11: SYSMONEVENT_FILE_CREATE
- 12: SYSMONEVENT_REG_KEY
- 13: SYSMONEVENT_REG_SETVALUE
- 14: SYSMONEVENT_REG_NAME
- 15: SYSMONEVENT_FILE_CREATE_STREAM_HASH
- 16: SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
- 17: SYSMONEVENT_CREATE_NAMEDPIPE
- 18: SYSMONEVENT_CONNECT_NAMEDPIPE
- 19: SYSMONEVENT_WMI_FILTER
- 20: SYSMONEVENT_WMI_CONSUMER
- 21: SYSMONEVENT_WMI_BINDING
- 22: SYSMONEVENT_DNS_QUERY
- 23: SYSMONEVENT_FILE_DELETE
- 24: SYSMONEVENT_CLIPBOARD
- 25: SYSMONEVENT_PROCESS_IMAGE_TAMPERING
- 26: SYSMONEVENT_FILE_DELETE_DETECTED
- 255: SYSMONEVENT_ERROR
As you can see, many of these events do not apply to Linux, such as Registry or WMI events, so you will need to adjust your configuration accordingly.
Sysmon is a powerful tool widely used in Windows environments as part of an organization’s security toolkit.
With its addition to Linux, a whole new segment of system administrators can use it to provide free system monitoring for malicious activity.