Upload
clevernetsystemsgeneva
View
51
Download
2
Embed Size (px)
Citation preview
1 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Open Source infrastructure specialists in Geneva
Jérôme Steunenberg (co-founder)
https://www.meetup.com/fr-FR/Geneve-Open-Source-Meetup/
Thank you BI!
Thank you Elastic Meetup!
2 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Origins: “We want to know everything that happens on our Unix servers” (client request)
Translation: “Our auditors want us to know who did what when and where, even for
root users”
3 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Solution 1: lock su and use sudo with logging. Drawbacks: anyone a little bit skilled can sudo into a
program and spawn a shell, then they’re invisible.
Solution 2: use an SSH bastion solution (e.g. Wallix, Balabit) that records sessions. Drawbacks: SPOF,
complex, licensing per server.
Solution 4: other tricks exist, such as using the PROMPT_COMMAND environment variable to log all commands. Drawbacks: very easily circumvented.
Solution 3: use a keylogger. Drawbacks: logs passwords, very difficult to search.
4 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
auditd + beats + logstash + ES + Kibana
5 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Auditd presentation
http://itsitrc.blogspot.ch/2012/12/the-linux-auditing-system-auditd.html
6 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Delete all previous rules-D
# Set buffer size-b 8192
# Make the configuration immutable -- reboot is required to change audit rules-e 2
# Audit all changes to local time-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -S clock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change
# Audit all changes to identity files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity
...
Auditd sample configuration
7 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Log all processes-a exit,always -F arch=b64 -S execve -k logall-a exit,always -F arch=b32 -S execve -k logall
Log all process spawns
8 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
9 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/filebeat/filebeat.ymlfilebeat: prospectors: - paths: - /var/log/audisp-simplify input_type: log scan_frequency: 1s registry_file: /var/lib/filebeat/registryoutput: logstash: hosts: ["localhost:5044"]shipper:logging: files: path: /var/log name: filebeat rotateeverybytes: 10485760 # = 10MB keepfiles: 7 level: info
10 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/logstash/conf.d/beats.confinput {
beats {port => 5044ssl => false
}}filter {
grok {match => { "message" => 'type=EXECVE key=(logall)? auditid=%{NUMBER:auditid}
time="%{TIMESTAMP_ISO8601:time}" hostname="%{HOSTNAME:host}" tty=(\(?%{WORD:tty}\)?)? ppid=(%{NUMBER:ppid})? pid=(%{NUMBER:pid})? exe="(%{UNIXPATH:exe})?" name="(%{UNIXPATH:name})?" user=(%{USERNAME:user})? origuser=(%{USERNAME:origuser})? cwd="(%{UNIXPATH:cwd})?" command=%{QUOTEDSTRING:command}' }
}date {
match => [ "time", "yyyy-MM-dd HH:mm:ssZ" ]}
}output {
stdout { codec => rubydebug }elasticsearch {
hosts => [ "localhost" ]}
}
11 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
i Démo CleverAudit5 minutes
Technologies :