Présentation Clever Audit

1 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity

Open Source infrastructure specialists in Geneva

Jérôme Steunenberg (co-founder)

https://www.meetup.com/fr-FR/Geneve-Open-Source-Meetup/

Thank you BI!

Thank you Elastic Meetup!


Origins: “We want to know everything that happens on our Unix servers” (client request)

Translation: “Our auditors want us to know who did what when and where, even for

root users”


Solution 1: lock su and use sudo with logging. Drawbacks: anyone a little bit skilled can sudo into a

program and spawn a shell, then they’re invisible.

Solution 2: use an SSH bastion solution (e.g. Wallix, Balabit) that records sessions. Drawbacks: SPOF,

complex, licensing per server.

Solution 4: other tricks exist, such as using the PROMPT_COMMAND environment variable to log all commands. Drawbacks: very easily circumvented.

Solution 3: use a keylogger. Drawbacks: logs passwords, very difficult to search.


auditd + beats + logstash + ES + Kibana


Auditd presentation

http://itsitrc.blogspot.ch/2012/12/the-linux-auditing-system-auditd.html


# Delete all previous rules-D

# Set buffer size-b 8192

# Make the configuration immutable -- reboot is required to change audit rules-e 2

# Audit all changes to local time-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -S clock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change

# Audit all changes to identity files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity

...

Auditd sample configuration


# Log all processes-a exit,always -F arch=b64 -S execve -k logall-a exit,always -F arch=b32 -S execve -k logall

Log all process spawns



# /etc/filebeat/filebeat.ymlfilebeat: prospectors: - paths: - /var/log/audisp-simplify input_type: log scan_frequency: 1s registry_file: /var/lib/filebeat/registryoutput: logstash: hosts: ["localhost:5044"]shipper:logging: files: path: /var/log name: filebeat rotateeverybytes: 10485760 # = 10MB keepfiles: 7 level: info


# /etc/logstash/conf.d/beats.confinput {

beats {port => 5044ssl => false

}}filter {

grok {match => { "message" => 'type=EXECVE key=(logall)? auditid=%{NUMBER:auditid}

time="%{TIMESTAMP_ISO8601:time}" hostname="%{HOSTNAME:host}" tty=(\(?%{WORD:tty}\)?)? ppid=(%{NUMBER:ppid})? pid=(%{NUMBER:pid})? exe="(%{UNIXPATH:exe})?" name="(%{UNIXPATH:name})?" user=(%{USERNAME:user})? origuser=(%{USERNAME:origuser})? cwd="(%{UNIXPATH:cwd})?" command=%{QUOTEDSTRING:command}' }

}date {

match => [ "time", "yyyy-MM-dd HH:mm:ssZ" ]}

}output {

stdout { codec => rubydebug }elasticsearch {

hosts => [ "localhost" ]}

}


i Démo CleverAudit5 minutes

Technologies :

Software

Présentation Clever Audit