Scale Your Auditing Events

A presentation at BSides Stuttgart in May 2019 in Quellenstraße 7a, 70376 Stuttgart, Germany by Philipp Krenn

Slide 1

Slide 1

Scale Your Auditing Events Philipp Krenn @xeraa

Slide 2

Slide 2

Slide 3

Slide 3

Learn about a breach From the press or users

Slide 4

Slide 4

Learn about a breach Attackers asking for a ransom

Slide 5

Slide 5

Learn about a breach Cloud provider’s bill

Slide 6

Slide 6

Learn about a breach Yourself after the fact

Slide 7

Slide 7

Learn about a breach Yourself & you can prove no harm

Slide 8

Slide 8

Slide 9

Slide 9

No silver bullet

Slide 10

Slide 10

uditd https://github.com/linux-audit

Slide 11

Slide 11

“auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities.”

Slide 12

Slide 12

Monitor File and network access System calls Commands run by a user Security events

Slide 13

Slide 13

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Slide 14

Slide 14

Demo

Slide 15

Slide 15

Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/secunderstanding_audit_log_files

Slide 16

Slide 16

More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules

Slide 17

Slide 17

Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938

Slide 18

Slide 18

Slide 19

Slide 19

Problem How to centralize?

Slide 20

Slide 20

Developer

Slide 21

Slide 21

Disclaimer I build highly monitored Hello World apps

Slide 22

Slide 22

Slide 23

Slide 23

Slide 24

Slide 24

Slide 25

Slide 25

Slide 26

Slide 26

Slide 27

Slide 27

Filebeat Module: Auditd

Slide 28

Slide 28

Demo

Slide 29

Slide 29

!

Slide 30

Slide 30

!”

Slide 31

Slide 31

https://cloud.elastic.co

Slide 32

Slide 32

Auditbeat

Slide 33

Slide 33

Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration

Slide 34

Slide 34

Auditd Module eBPF powers on older kernels Easier configuration Written in Golang

Slide 35

Slide 35

Slide 36

Slide 36

go-libaudit https://github.com/elastic/go-libaudit go-libaudit is a library for communicating with the Linux Audit Framework

Slide 37

Slide 37

Demo

Slide 38

Slide 38

System Module Easier configuration for host, process, socket, user Added in 6.6 — not based on Auditd

Slide 39

Slide 39

Demo

Slide 40

Slide 40

File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

Slide 41

Slide 41

hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64

Slide 42

Slide 42

Demo

Slide 43

Slide 43

Conclusion

Slide 44

Slide 44

Slide 45

Slide 45

Auditd Auditbeat Logs, Dashboards,…

Slide 46

Slide 46

Slide 47

Slide 47

Code https://github.com/xeraa/ auditbeat-in-action

Slide 48

Slide 48

Similar Solutions https://github.com/slackhq/go-audit https://github.com/Scribery/aushape

Slide 49

Slide 49

Questions? Philipp Krenn PS: Sticker @xeraa