Tweaking LimaCharlie Linux EDR Telemetry.

[maximelb]

Pull Request Template

This PR adds types of EDR telemetry supported by LimaCharlie on Linux. A lot of the full events supported, and some partially via on-host default logs that can automatically be leveraged/parsed/alerting. Some of the categories are mainly supported through eBPF built-in to LimaCharlie.

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?(definition here)
2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: Yes
2: Open documentation: https://docs.limacharlie.io/docs/reference-edr-events
3: -

Type of change

Please delete options that are not relevant.

• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

No tests have been run since it's a simple JSON change limited to LimaCharlie's capabilities only.

Test Configuration:

• EDR version: LimaCharlie
• Operating System version: Linux (non-distro specific)

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my corrections or additions are accurate
• I have checked my code and corrected any misspellings

Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂

[tsale]

Hi @maximelb , thank you for this PR. I have personally tested the LimaCharlie, and the events you refer to in the documentation were unavailable during testing. I consulted the documentation but could not corroborate it with the results of the telemetry generator script.

Would you mind running the script on your end and sharing any evidence of the changes you are proposing? I might have made a mistake, so I would really appreciate it if you could run it and double-check my work. Thank you!

[maximelb]

Ah sorry @tsale I didn't realize the test scripts now were for the telemetry itself. Will do.

What probably happened is that we recently enhanced the eBPF support which is required for a bunch of those events. Before this it was easy to be missing some requirement for the eBPF support.

[tsale]

Thanks @maximelb. That's great to hear! If you provide me with the evidence to support these changes after running the script, I will be more than happy to merge this PR.

[lc-cbot]

@tsale Is this what you're looking for?

ubuntu-jammy-6.8.0-1020-gcp-1-function_output_log.csv
ubuntu-jammy-5.19.0-1026-gcp-0-function_output_log.csv

[tsale]

@tsale Is this what you're looking for?

ubuntu-jammy-6.8.0-1020-gcp-1-function_output_log.csv ubuntu-jammy-5.19.0-1026-gcp-0-function_output_log.csv

I think these are the results of the script you run. It indicates that every module was run successfully. What we need is evidence that you can see the events on the LimaCharlie platform.

[maximelb]

Ok, here are the sample events per category. If you need a raw dump, I can share it as well.

File Modifications:

{
  "event": {
    "FILE_PATH": "/usr/lib/locale/C.utf8/LC_CTYPE",
    "PROCESS_ID": 74625
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "e64ace2c-ee39-47b9-ba9c-d26e4b9d06fa",
    "event_time": 1734831730116,
    "event_type": "FILE_READ",
    "ext_ip": "34.57.252.38",
    "hostname": "edr-telemetry-test.c.lc-developers.internal",
    "iid": "ccc009ee-254c-4d67-a896-f13cb68e709f",
    "int_ip": "10.128.0.50",
    "investigation_id": "9f6c8695-7303-4ed2-af0e-fb0c639e860b",
    "moduleid": 2,
    "oid": "98ef5597-1e6e-4afd-b309-bf3fa8d9dd00",
    "parent": "6859657da6e5de582c8dc12867676e72",
    "plat": 536870912,
    "sid": "0f436652-f6d2-46cd-92c6-9ab083f62779",
    "tags": [],
    "this": "7d446598c85d760f6714212567676e72"
  },
  "ts": "2024-12-22 01:42:10"
}

{
  "event": {
    "FILE_PATH": "/home/maxime/lc/telemetry/EDR-Telemetry/Tools/Telemetry-Generator/Linux/test_file.txt",
    "PROCESS_ID": 74282
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "3477cf55-a103-4dcc-b91e-0f908c065b37",
    "event_time": 1734831744093,
    "event_type": "FILE_CREATE",
    "ext_ip": "34.57.252.38",
    "hostname": "edr-telemetry-test.c.lc-developers.internal",
    "iid": "ccc009ee-254c-4d67-a896-f13cb68e709f",
    "int_ip": "10.128.0.50",
    "investigation_id": "9f6c8695-7303-4ed2-af0e-fb0c639e860b",
    "moduleid": 2,
    "oid": "98ef5597-1e6e-4afd-b309-bf3fa8d9dd00",
    "parent": "e1d235b249b2d6a07b30691767676e4a",
    "plat": 536870912,
    "sid": "0f436652-f6d2-46cd-92c6-9ab083f62779",
    "tags": [],
    "this": "c5874f5f73a68a47699097a767676e80"
  },
  "ts": "2024-12-22 01:42:24"
}

{
  "event": {
    "FILE_PATH": "/home/maxime/lc/telemetry/EDR-Telemetry/Tools/Telemetry-Generator/Linux/test_file.txt",
    "PROCESS_ID": 74282
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "95bac918-1235-4c1c-b5bc-7df8b5e320c5",
    "event_time": 1734831748094,
    "event_type": "FILE_DELETE",
    "ext_ip": "34.57.252.38",
    "hostname": "edr-telemetry-test.c.lc-developers.internal",
    "iid": "ccc009ee-254c-4d67-a896-f13cb68e709f",
    "int_ip": "10.128.0.50",
    "investigation_id": "9f6c8695-7303-4ed2-af0e-fb0c639e860b",
    "moduleid": 2,
    "oid": "98ef5597-1e6e-4afd-b309-bf3fa8d9dd00",
    "parent": "e1d235b249b2d6a07b30691767676e4a",
    "plat": 536870912,
    "sid": "0f436652-f6d2-46cd-92c6-9ab083f62779",
    "tags": [],
    "this": "0744ed8be23492cc06385db767676e84"
  },
  "ts": "2024-12-22 01:42:28"
}

{
  "event": {
    "FILE_PATH": "/sys/fs/cgroup/system.slice/cron.service/memory.min",
    "PROCESS_ID": 1
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "087c5412-811f-4adc-ba70-2435a678010a",
    "event_time": 1734831730081,
    "event_type": "FILE_MODIFIED",
    "ext_ip": "34.57.252.38",
    "hostname": "edr-telemetry-test.c.lc-developers.internal",
    "iid": "ccc009ee-254c-4d67-a896-f13cb68e709f",
    "int_ip": "10.128.0.50",
    "investigation_id": "9f6c8695-7303-4ed2-af0e-fb0c639e860b",
    "moduleid": 2,
    "oid": "98ef5597-1e6e-4afd-b309-bf3fa8d9dd00",
    "parent": "66574e64c822a7167ced977767676e02",
    "plat": 536870912,
    "sid": "0f436652-f6d2-46cd-92c6-9ab083f62779",
    "tags": [],
    "this": "cece8c431f45c5c837da989267676e72"
  },
  "ts": "2024-12-22 01:42:10"
}

Service:

{
  "event": {
    "SVC_NAME": "dummy_service"
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "0bdfd5d9-103a-42eb-9249-22b88619821f",
    "event_time": 1734833011801,
    "event_type": "SERVICE_CHANGE",
    "ext_ip": "34.57.252.38",
    "hostname": "edr-telemetry-test.c.lc-developers.internal",
    "iid": "ccc009ee-254c-4d67-a896-f13cb68e709f",
    "int_ip": "10.128.0.50",
    "moduleid": 2,
    "oid": "98ef5597-1e6e-4afd-b309-bf3fa8d9dd00",
    "plat": 536870912,
    "sid": "0f436652-f6d2-46cd-92c6-9ab083f62779",
    "tags": [],
    "this": "5bff276bb553f05706a3ae3d67677373"
  },
  "ts": "2024-12-22 02:03:31"
}

IMPHash:
Actually I was wrong, there is no such thing as an IMPHash on Linux ELFs. We only generate it on Windows, curious why some other EDRs report it as supported.

[tsale]

Thanks for providing evidence regarding the File Manipulation and Service Activity categories. I am ok with changing those to "Yes". However, could you please provide more information and evidence regarding the events that you have as "Via EnablingTelemetry"?

[maximelb]

Thanks for providing evidence regarding the File Manipulation and Service Activity categories. I am ok with changing those to "Yes". However, could you please provide more information and evidence regarding the events that you have as "Via EnablingTelemetry"?

Sure, I will send something tomorrow. Honestly it's because we can natively tap into any local system log, so anything in any log can be alerted and automatically collected. So I suspect we actually have a bunch of the other items as Enabling Telemetry but I figured those were the obvious ones I knew were logged.

[tsale]

Thanks for providing evidence regarding the File Manipulation and Service Activity categories. I am ok with changing those to "Yes". However, could you please provide more information and evidence regarding the events that you have as "Via EnablingTelemetry"?

Sure, I will send something tomorrow. Honestly it's because we can natively tap into any local system log, so anything in any log can be alerted and automatically collected. So I suspect we actually have a bunch of the other items as Enabling Telemetry but I figured those were the obvious ones I knew were logged.

That sounds great! If you can show us how a user can enable those events and share some evidence that the telemetry for those events is generated after running the telemetry generator script, I’d be happy to go ahead and merge this for you.

[maximelb]

Ok, I removed the "with extra data" because frankly I don't feel like figuring out where Linux stores those logs. :)
But I also put to True the Fuzzy Hash section as I realized that we support TLSH (https://tlsh.org/) across the board, so we support it. Here's a screenshot displaying it:

So I think we're good?