Scale Your Auditing Events

Scale Your Auditing Events Philipp Krenn @xeraa

Learn about a breach From the press or users

Learn about a breach Attackers asking for a ransom

Learn about a breach Cloud provider's bill

Learn about a breach Yourself after the fact

Learn about a breach Yourself & you can prove no harm

No silver bullet

uditd https://github.com/linux-audit

"auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."

Monitor File and network access System calls Commands run by a user Security events

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Demo

Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/secunderstanding_audit_log_files

More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules

Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938

Problem How to centralize?

Developer

Disclaimer I build highly monitored Hello World apps

Filebeat Module: Auditd

Demo

!

!"

https://cloud.elastic.co

Auditbeat

Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration

Auditd Module eBPF powers on older kernels Easier configuration Written in Golang

Docker metadata enrichment

go-libaudit https://github.com/elastic/go-libaudit go-libaudit is a library for communicating with the Linux Audit Framework

Demo

File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64

Demo

PS: Machine Learning

Conclusion

Auditd Auditbeat Logs, Dashboards,...

Try https://dashboard.xeraa.wtf SSH: elastic-user@xeraa.wtf secret

Code https://github.com/xeraa/ auditbeat-in-action

Similar Solutions https://github.com/slackhq/go-audit https://github.com/Scribery/aushape

Questions? Philipp Krenn PS: Sticker @xeraa