Scale Your Auditing Events Philipp Krenn @xeraa
Slide 1
Slide 2
Slide 3
Learn about a breach From the press or users
Slide 4
Learn about a breach Attackers asking for a ransom
Slide 5
Learn about a breach Cloud provider’s bill
Slide 6
Learn about a breach Yourself after the fact
Slide 7
Learn about a breach Yourself & you can prove no harm
Slide 8
Slide 9
No silver bullet
Slide 10
uditd https://github.com/linux-audit
Slide 11
“auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities.”
Slide 12
Monitor File and network access System calls Commands run by a user Security events
Slide 13
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
Slide 14
Demo
Slide 15
Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/secunderstanding_audit_log_files
Slide 16
More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules
Slide 17
Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938
Slide 18
Slide 19
Problem How to centralize?
Slide 20
Developer
Slide 21
Disclaimer I build highly monitored Hello World apps
Slide 22
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Filebeat Module: Auditd
Slide 28
Demo
Slide 29
!
Slide 30
!”
Slide 31
https://cloud.elastic.co
Slide 32
Auditbeat
Slide 33
Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration
Slide 34
Auditd Module eBPF powers on older kernels Easier configuration Written in Golang
Slide 35
Slide 36
go-libaudit https://github.com/elastic/go-libaudit go-libaudit is a library for communicating with the Linux Audit Framework
Slide 37
Demo
Slide 38
System Module Easier configuration for host, process, socket, user Added in 6.6 — not based on Auditd
Slide 39
Demo
Slide 40
File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
Slide 41
hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
Slide 42
Demo
Slide 43
Conclusion
Slide 44
Slide 45
Auditd Auditbeat Logs, Dashboards,…
Slide 46
Slide 47
Code https://github.com/xeraa/ auditbeat-in-action
Slide 48
Similar Solutions https://github.com/slackhq/go-audit https://github.com/Scribery/aushape
Slide 49
Questions? Philipp Krenn PS: Sticker @xeraa
