Landlock, a Linux Security Module integrated since kernel 5.13 with logging in 6.15, can both harden applications and provide precise, low-false-positive telemetry for detection engineering. The article demonstrates Landlock’s logging for filesystem and network denials, use in tools like XZ Utils, and how Sekoia leverages go-libaudit logs to create Sigma detections. #Landlock #XZUtils
Keypoints
- Landlock is an LSM available since Linux 5.13 that enables per-process sandboxes and was integrated into the audit system in kernel 6.15.
- When enabled for a binary, Landlock can log denied actions (e.g., execve, openat, connect) with specific audit records that are useful for detection engineering.
- Sekoia demonstrates filesystem and network Landlock rules: read-only root with /tmp writable, and network restricted to TCP port 443, both producing detailed audit events.
- go-libaudit can reassemble and enrich Landlock audit messages into structured events, which Sekoia uses to build Sigma rules (detecting action.properties.domain and blockers keys).
- Landlock helps defenders observe and alert on attempted abuses (e.g., exploitation attempts, LD_PRELOAD hijacks) and can block simple malicious actions while providing telemetry.
- Attackers have targeted Landlock usage (e.g., XZ Utils supply chain incident CVE-2024-3094), illustrating both the adoption of Landlock in legitimate tooling and its relevance to threat actors.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used in the example vulnerable web server where a crafted request attempts to access files outside the allowed directory (‘/etc/passwd’).
- [T1059 ] Command and Scripting Interpreter – Execution of new programs is discussed and audited via the execve() system call (‘execve() system call’).
- [T1574 ] Hijack Execution Flow – LD_PRELOAD library injection is used to hijack the write() function and launch ‘ls /tmp’ as a demonstration (‘LD_PRELOAD hijacking technique’).
- [T1083 ] File and Directory Discovery – Attempts to read or open files outside allowed paths are logged (example path: ‘/home/user/sandbox_c’, access denied via openat and logged as ‘/etc/passwd’ attempt).
Indicators of Compromise
- [IP Address ] blocked network connection observed in audit data – 142.250.179.110 (destination seen in net.connect_tcp event)
- [Domain ] example outbound domain used in test – google.com (curl attempted to http://google.com and was denied)
- [File path / filename ] filesystem access attempts and sandboxed paths – /home/user/sandbox_c, /var/lib/htdocs (web server allowed directory)
- [Executable / Binary ] commands and executables observed in logs and tests – /usr/bin/curl, /usr/bin/touch (process names in Landlock audit events)
- [Software / Version ] affected or referenced packages and builds – XZ Utils versions 5.6.0 and 5.6.1 (compromised tarballs), also 5.8.1 and 5.0.8 referenced in tests
- [CVE ] known vulnerability referenced – CVE-2024-3094 (supply chain incident involving XZ Utils)
Read more: https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/