Microsoft is celebrating the 25th anniversary of Sysinternals, a set of utilities that is capable of analyzing, troubleshooting, and optimizing Windows systems and applications. The Microsoft team also announced the release of Sysmon for Linux as a part of the anniversary. Sysmon for Linux is an open-source system monitor tool. It is designed to collect security events from Linux environments.
Extended Berkeley Packet Filter
Microsoft’s new solution uses eBPF (Extended Berkeley Packet Filter) and sends the gathered security events to Syslog. With eBPF programs can run in a sandbox in the kernel of an operating system. Thus, it allows developers to create codes that get executed in kernel space. It also allows writing codes in a more secure and restricted way to be able to add more capabilities to the operating system at runtime. Some of the use cases for eBPF are:
- Security: Combining visibility and better level of control to secure systems.
- Tracing and profiling: Powerful and unique insights to troubleshoot system performance.
- Networking: A natural fit for all packet processing requirements of networking solutions.
- Observability and monitoring: Collection and in-kernel aggregation of custom metrics.
Sysmon for Linux is built on sysinternalsEBPF, a library that is also released with Sysmon for Linux. sysinternalsEBPF is built on libbpf, which includes a library of eBPF inline functions.
eBPF allows developers to create event-driven programs and have pre-defined hooks into operations. Then, those events can be collected to be used to understand adversary behavior during research or an investigation. The handle the monitoring process, it uses its own library, sysinternalsEBPF.
How to install Sysmon for Linux?
To install Sysmon for Linux, users need these packages:
- sysinternalsebpf (.DEB or .RPM)
- sysmonforlinux (.DEB or .RPM)
Users can use the following commands in a Linux command line:
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb
To install sysinternalsEBPF and Sysmon, you can use the following commands:
sudo apt-get update sudo apt-get install sysinternalsebpf sudo apt-get install sysmonforlinux
Then, you can run the Sysmon command with:
To install and run Sysmon as a service with specific Sysmon config:
sudo sysmon -accepteula -i sysmonconfig.xml
And finally, to explore the events from the Syslog log:
tail –f /var/log/Syslog