Sysmon for Linux Installation Guide

Introduction, Purpose, and Objectives

    The Sysmon for Linux project aims to provide a robust monitoring solution for Linux                            environments. This guide will cover:

• What Sysmon for Linux is

• The benefits it offers for system monitoring and security

• The installation process and configuration steps

     This project will involve hands-on application and reporting on the functionalities and processes             involved in using Sysmon for Linux.

---

How Sysmon for Linux Works and Its Role in Monitoring

    Sysmon for Linux is designed to log system activities, offering deep insights into key events such as     process creation, network connections, and file system changes. Its primary functions include:

• Event Logging: Captures detailed logs of system events, allowing administrators to track changes and detect anomalies.

• eBPF Utilization: Leverages Extended Berkeley Packet Filter (eBPF) technology for efficient, low-overhead monitoring directly from the Linux kernel.

• Cross-Reboot Monitoring: Maintains monitoring capabilities even after system reboots, ensuring continuous oversight.

    The main purpose of Sysmon for Linux is to enhance security by providing comprehensive visibility     into system activities. This visibility plays a critical role in incident detection and response, helping        organizations identify and address potential threats proactively.

Installation Steps

1. Install Dependencies

a. Install Sysinternals eBPF
Follow the instructions at Sysinternals eBPF Installation Guide:

• Register Microsoft Key and Feed:

  wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
  sudo dpkg -i packages-microsoft-prod.deb
  

• Install Sysinternals eBPF:

  sudo apt-get update
  sudo apt-get install sysinternalsebpf
  

b. Install .NET 8 SDK

    Follow the instructions at Install .NET on Linux (Ubuntu) (for versions 22.04 and later):

    sudo apt-get update && sudo apt-get install -y dotnet-sdk-8.0

c. Install Clang/LLVM

    Ensure you have Clang/LLVM version 10 or higher installed. You can install it via:

        sudo apt-get install clang

2. Download and Compile Source Code

    cd ~
    git clone --recurse-submodules https://github.com/Sysinternals/SysmonForLinux.git
    cd SysmonForLinux
    mkdir build
    cd build
    cmake ..
    make

3. Run Tests

    To ensure everything is set up correctly, run the unit tests:

    ./sysmonUnitTests

4. Install Sysmon

    Use the following command to install Sysmon with the specified configuration file:

• Download the Configuration File:

        wget https://gist.githubusercontent.com/Cyb3rWard0g/bcf1514cc340197f0076bf1da8954077/raw/293db31bb81c48ff18a591574a6f2bf946282602/SysmonForLinux-CollectAll-Config.xml

• Install Sysmon:

        sudo ./sysmon -i SysmonForLinux-CollectAll-Config.xml

5. Verify Installation

    Check the status of Sysmon and view the logs to confirm everything is working correctly:

    sudo systemctl status sysmon
    sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView

Conclusion

By following these steps, you will successfully install and configure Sysmon for Linux on your Ubuntu machine, enabling enhanced monitoring and logging of system activities.

References:

1. https://github.com/Sysinternals/SysmonForLinux/blob/main/BUILD.md

2. https://github.com/Sysinternals/SysinternalsEBPF/blob/main/INSTALL.md

3. https://learn.microsoft.com/en-us/dotnet/core/install/linux-ubuntu-install?pivots=os-linux-ubuntu-2404&tabs=dotnet8

4. https://www.linkedin.com/pulse/sysmon-linux-walk-through-arnold-van-wijnbergen/