How to Enable Security Check¶

Introduction¶

TrueWatch supports "Security Check" to inspect the status of systems, containers, networks, security, and logs. It ensures all actions are secure and controllable by using a new type of security script (limiting command execution, local IO, and network IO).

In operations and maintenance, an important task is to check the status of systems, software, and logs. Traditional solutions often involve engineers writing shell (bash) scripts for similar tasks, managing clusters through remote script management tools. However, this method is inherently risky. System inspection operations often require high permissions, typically executed in root mode. Once malicious scripts are run, the consequences can be severe. In real scenarios, there are two types of malicious scripts: one involves dangerous commands such as rm -rf, and the other steals data, such as transferring data externally via network IO. Therefore, Security Checker aims to provide a new, secure scripting approach (limiting command execution, local IO, and network IO) to ensure all behaviors are safe and controllable. Additionally, Security Checker will collect inspection events as logs through a unified network model. Meanwhile, Security Checker provides a vast library of updatable rule scripts covering system, container, network, security, and other inspections.

Prerequisites¶

• You need to first create a TrueWatch account;
• Install DataKit on your host;

Procedure¶

Step 1: Install Scheck¶

Install Security Checker through DataKit:

$ sudo datakit --install scheck

Note: After installation, Security Checker defaults to sending data to the DataKit :9529/v1/write/security interface.

Step 2: Configure Data Collection¶

• Navigate to the default installation directory /usr/local/scheck, open the configuration file scheck.conf. The configuration file uses TOML format and is explained as follows:

rule_dir = '/usr/local/scheck/rules.d'

# ##(Required) Where to collect detection results, supports local files or http(s) links
# ##Use prefix file:// for local files, e.g., file:///your/file/path
# ##For remote server, e.g., http(s)://your.url
output = ''

# ##(Optional) Logging configuration for the program itself
disable_log = false # Whether to disable logging
log = '/usr/local/scheck/log'
log_level = 'info'

• After completing the configuration, restart the service for the changes to take effect:

systemctl restart scheck

Step 3: Configure Inspection Rules¶

The inspection rules are stored in the rule directory specified by rule_dir in the configuration file. Each rule corresponds to two files:

1. Script file: written in Lua language, must have .lua as the suffix.
2. Manifest file: in TOML format, must have .manifest as the suffix.

By adding/modifying manifest files and Lua code, you can complete the configuration of inspection rules.

Notes:

• The script file and manifest file must have the same name.
• No need to restart the service after adding/modifying rules; the new rules will take effect automatically after 10 seconds.

Step 4: View Installation Status and DataKit Running Status¶

• Check scheck status:

$ systemctl status scheck
● scheck.service - security checker with lua script
   Loaded: loaded (/usr/lib/systemd/system/scheck.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-07-03 00:13:15 CST; 2 days ago
 Main PID: 15337 (scheck)
    Tasks: 10
   Memory: 12.4M
   CGroup: /system.slice/scheck.service
           └─15337 /usr/local/scheck/scheck -config /usr/local/scheck/scheck.conf

• Check datakit status:

$ systemctl status datakit
● datakit.service - Collects data and upload it to DataFlux.
   Loaded: loaded (/etc/systemd/system/datakit.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-07-03 01:07:44 CST; 2 days ago
 Main PID: 27371 (datakit)
    Tasks: 9
   Memory: 29.6M
   CGroup: /system.slice/datakit.service
           └─27371 /usr/local/datakit/datakit

Step 5: Log in to TrueWatch to view security inspection records¶

• Select the left sidebar - Security Check to view inspection content

Advanced References¶

Security Monitoring¶

"TrueWatch" provides users with a one-click function to detect malicious programs, system vulnerabilities, and security flaws. Through "Security Check", you can not only promptly discover vulnerabilities and anomalies in hosts, systems, containers, networks, etc., but also identify daily management issues (e.g., leaking data externally via network IO).

Simulate Hacker Intrusion Operations¶

• Log into the host terminal

• Simulate adding a user and adding a crontab record

useradd xlsm
crontab -e

Log in to TrueWatch to view security inspection information and analyze it¶

You can see that on 12/19 at 18:52, a user was added. When encountering this issue, how should we handle it?

Click on the record to view recommendations for host remediation

Execute the following command in the host console: userdel xlsm

More References¶

For more details, please refer to the document Security Check.