Windows Subsystem for Linux (WSL): software tool improving monitoring capabilities
Windows Subsystem for Linux (WSL) is a software component allowing to run Linux applications directly on Windows 10 and Windows Server 2019 starting from August 2016.
There are several software projects aimed at running/porting certain GNU/Linux applications to Windows, most known being Cygwin and Minfw-w64. Whereas WSL doesn’t directly replace or obsolete the mentioned software pieces, WSL makes it possible to run, develop and use native Linux applications; starting from version 2 of WSL it is done via a lightweight virtual machine, thus permitting to run authentic Linux kernels instead of a compatibility layer.
WSL quick start
Typical use of WSL is by setting a SSH server on it, started at system boot. If you also enable Cron service, WSL becomes a lightweight tool to gather miscellaneous data and running variety of scripts in lightweight environment.
Typically, WSL SSH server uses internal IP address, not accessible directly from outside, thus enhancing the overall security (since WSL default user account is a sudoer (can run processes with highest possible rights), it’s important to prevent unauthorized access to it. Enabling key-only logon to SSH (configured by default) is the obvious precaution.
Typical (Debian-based – Ubuntu, Kali etc) WSL environment is equipped by many a tool that would require a separate installation in case of Windows. That includes Perl, Python and well-known shell interpreters (such as default bash and fish). That allows efficient scripting out of the box.
Access host file system
Through /mnt mount point, WSL can access host’s (Windows) file system. For example, /mnt/c corresponds to drive C:; other drives/file systems are accessible in similar manner.
By using the above mount point, WSL process can access and monitor “outer” Windows files and do whatever necessary to perform monitoring tasks. Note that access restrictions can be in effect; refer the mentioned WSL documentation for more details.
Host files can be scanned for change, directories (folders) can be monitored for their sizes/other attributes, without using resource-consuming host interfaces, such as WMI.
WSL has a set of networking tools allowing accessing and analyzing various network services. Some of the tools require explicit installing first (that is related to dig, traceroute, whois etc); after that, they can be used to set up corresponding monitoring (checking for connectivity issues, inquiring SSL certificates validity, looking for open ports etc).
WSL can also be used to install a mail server, for monitoring setup internal use. Such a mail service would be inaccessible from outside, thus excluding possible monitoring data leaks
Additionally, WSL can be used to install command-line tools to access popular cloud services, such as AWS, and interact with them safely. That includes securely gathering monitoring data from inside a WSL environment.
Further WSL uses
Microsoft Store contains several WSL environments one can use. If a security-related monitoring is required, Kali distribution can be used; for general purpose tasks, Ubuntu will do. If you needed assistance, or wish to share your WSL experience, feel free to contact us, or just leave a comment below.