Scale Your Auditing Events Philipp Krenn @xeraa
Slide 1
Slide 2
Slide 3
Learn about a breach From the press or users
Slide 4
Learn about a breach Attackers asking for a ransom
Slide 5
Learn about a breach Cloud provider's bill
Slide 6
Learn about a breach Yourself after the fact
Slide 7
Learn about a breach Yourself & you can prove no harm
Slide 8
Slide 9
No silver bullet
Slide 10
uditd https://github.com/linux-audit
Slide 11
"auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
Slide 12
Monitor File and network access System calls Commands run by a user Security events
Slide 13
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
Slide 14
Demo
Slide 15
Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/secunderstanding_audit_log_files
Slide 16
More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules
Slide 17
Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938
Slide 18
Slide 19
Problem How to centralize?
Slide 20
Developer
Slide 21
Disclaimer I build highly monitored Hello World apps
Slide 22
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
Filebeat Module: Auditd
Slide 29
Demo
Slide 30
!
Slide 31
!"
Slide 32
https://cloud.elastic.co
Slide 33
Auditbeat
Slide 34
Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration
Slide 35
Auditd Module eBPF powers on older kernels Easier configuration Written in Golang
Slide 36
Docker metadata enrichment
Slide 37
go-libaudit https://github.com/elastic/go-libaudit go-libaudit is a library for communicating with the Linux Audit Framework
Slide 38
Demo
Slide 39
File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
Slide 40
hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
Slide 41
Demo
Slide 42
PS: Machine Learning
Slide 43
Slide 44
Slide 45
Conclusion
Slide 46
Slide 47
Auditd Auditbeat Logs, Dashboards,...
Slide 48
Try https://dashboard.xeraa.wtf SSH: elastic-user@xeraa.wtf secret
Slide 49
Code https://github.com/xeraa/ auditbeat-in-action
Slide 50
Similar Solutions https://github.com/slackhq/go-audit https://github.com/Scribery/aushape
Slide 51
Questions? Philipp Krenn PS: Sticker @xeraa
