Scale Your Auditing Events Philipp Krenn @xeraa
Slide 1
Slide 2
Slide 3
Slide 4
No silver bullet
Slide 5
uditd https://github.com/linux-audit
Slide 6
"auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
Slide 7
Monitor File and network access System calls Commands run by a user Security events
Slide 8
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
Slide 9
Demo
Slide 10
Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/secunderstanding_audit_log_files
Slide 11
More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules
Slide 12
Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938
Slide 13
Slide 14
Problem How to centralize?
Slide 15
Developer
Slide 16
Disclaimer I build highly monitored Hello World apps
Slide 17
Slide 18
Slide 19
Slide 20
Slide 21
Slide 22
Slide 23
Filebeat Module: Auditd
Slide 24
Demo
Slide 25
!
Slide 26
!"
Slide 27
https://cloud.elastic.co
Slide 28
Auditbeat
Slide 29
Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration
Slide 30
Auditd Module eBPF powers on older kernels Run side by side with Auditd Easier configuration
Slide 31
Docker metadata enrichment
Slide 32
Demo
Slide 33
File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
Slide 34
hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
Slide 35
Demo
Slide 36
Conclusion
Slide 37
Slide 38
Auditd Auditbeat Logs, Dashboards,...
Slide 39
Try https://dashboard.xeraa.wtf SSH: elastic-user@xeraa.wtf secret
Slide 40
Code https://github.com/xeraa/auditbeatin-action
Slide 41
Questions? Philipp Krenn PS: Sticker @xeraa
