Auditd for the Masses Philipp Krenn 44444 @xeraa

Learn about a breach From the press or users

Learn about a breach Attackers asking for a ransom

Learn about a breach Cloud provider's bill

Learn about a breach Yourself after the fact

Learn about a breach Yourself but unsure about harm

Learn about a breach Yourself & you can prove no harm

No silver bullet !

Questions: https://sli.do/xeraa Answers: https://twitter.com/xeraa

udit d https://github.com/linux-audit

"auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."

Watching file access Monitoring system calls Recording commands run by a user Recording security events Monitoring network access

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Demo

More Rules https://github.com/linux-audit/audit- userspace/tree/master/rules

Namespaces WIP https://github.com/linux-audit/audit- kernel/issues/ 32#issuecomment-395052938

Problem How to centralize ?

Infrastructure | Developer !

Disclaimer I build highly monitored Hello World apps

Filebeat Module: Auditd

Demo

Auditbeat

Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration

Auditd Module eBPF powers on older kernels Run side by side with Auditd Easier configuration

Docker metadata enrichment

Demo

File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

hash_types blake2b_256 , blake2b_384 , blake2b_512 , md5 , sha1 , sha224 , sha256 , sha384 , sha512 , sha512_224 , sha512_256 , sha3_224 , sha3_256 , sha3_384 , sha3_512 , xxh64

Demo

See moar Kibana visualizations & dashboards

Demo

PS: Machine Learning

Conclusion

Auditd Auditbeat Logs, Dashboards,...

!

"

! "

https://cloud.elastic.co

Next Steps https://dashboard.xeraa.wtf SSH: elastic-user@xeraa.wtf secret

Questions? Philipp Krenn 44444 @xeraa PS: Sticker