Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events

10 views

Published on

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security-relevant, and explore them in Elastic's free SIEM.

Published in: Education
  • Be the first to comment

  • Be the first to like this

DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events

  1. 1. ScaleYour AuditingEvents Philipp Krenn @xeraa
  2. 2. Security incidents come in three levels FYI,WTF,andOMG
  3. 3. Learn about a breach Fromthepressorusers
  4. 4. Learn about a breach Attackersaskingforaransom
  5. 5. Learn about a breach Cloudprovider'sbill
  6. 6. Learn about a breach Yourselfafterthefact
  7. 7. Learn about a breach Yourself&youcanprovenoharm
  8. 8. Nosilverbullet
  9. 9. uditdhttps://github.com/linux-audit
  10. 10. "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
  11. 11. Monitor File and network access System calls Commands run by a user Security events
  12. 12. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
  13. 13. Demo
  14. 14. UnderstandingLogs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/sec- understanding_audit_log_files
  15. 15. MoreRules https://github.com/linux-audit/audit-userspace/tree/master/rules
  16. 16. ActualRules https://github.com/mtkirby/audisp-simplify
  17. 17. NamespacesWIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938
  18. 18. Problem Howtocentralize?
  19. 19. Developer
  20. 20. Disclaimer IbuildhighlymonitoredHello Worldapps
  21. 21. FilebeatModule:Auditd
  22. 22. Demo
  23. 23. !
  24. 24. !"
  25. 25. https://cloud.elastic.co
  26. 26. Auditbeat
  27. 27. AuditdModule Correlate related events Resolve UIDs to user names Native Elasticsearch integration
  28. 28. AuditdModule eBPF powers on older kernels Easier configuration Written in Golang
  29. 29. go-libaudit https://github.com/elastic/go-libaudit go-libaudit is a library for communicating with the Linux Audit Framework
  30. 30. Demo
  31. 31. SystemModule Simpler syntax for host, process, socket, user Added in 6.6 — not based on Auditd
  32. 32. Demo
  33. 33. FileIntegrityModule inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
  34. 34. hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
  35. 35. Demo
  36. 36. RunningonKubernetes
  37. 37. Where to run it DaemonSet
  38. 38. How to run it https://github.com/elastic/beats/tree/master/deploy/kubernetes/ auditbeat
  39. 39. add_docker_metadata add_kubernetes_metadata
  40. 40. Kubernetes Audit Logs https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
  41. 41. apiVersion: audit.k8s.io/v1 kind: Policy omitStages: - "RequestReceived" rules: - level: RequestResponse resources: - group: "" resources: ["pods"] - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"]
  42. 42. ElasticSIEM
  43. 43. ElasticCommonSchema https://github.com/elastic/ecs
  44. 44. --- - name: base root: true title: Base group: 1 short: All fields defined directly at the top level description: > The `base` field set contains all fields which are on the top level. These fields are common across all types of events. type: group fields: - name: "@timestamp" type: date level: core required: true example: "2016-05-23T08:05:34.853Z" short: Date/time when the event originated. description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
  45. 45. Demo
  46. 46. Scale
  47. 47. ! "
  48. 48. ILM Index Lifecycle Management
  49. 49. Features & Order https://github.com/elastic/elasticsearch/blob/7.4/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ilm/TimeseriesLifecycleType.java static final List<String> ORDERED_VALID_HOT_ACTIONS = Arrays.asList( SetPriorityAction.NAME, UnfollowAction.NAME, RolloverAction.NAME ); static final List<String> ORDERED_VALID_WARM_ACTIONS = Arrays.asList( SetPriorityAction.NAME, UnfollowAction.NAME, ReadOnlyAction.NAME, AllocateAction.NAME, ShrinkAction.NAME, ForceMergeAction.NAME ); static final List<String> ORDERED_VALID_COLD_ACTIONS = Arrays.asList( SetPriorityAction.NAME, UnfollowAction.NAME, AllocateAction.NAME, FreezeAction.NAME ); static final List<String> ORDERED_VALID_DELETE_ACTIONS = Arrays.asList( DeleteAction.NAME );
  50. 50. FrozenIndizes
  51. 51. ElasticEndpoint
  52. 52. Endpoint
  53. 53. PS:MachineLearningaka Anomaly Detection
  54. 54. Conclusion
  55. 55. Topics Auditd Auditbeat Scale, Kubernetes, SIEM,...
  56. 56. Code https://github.com/xeraa/ auditbeat-in-action
  57. 57. SimilarSolutions https://github.com/slackhq/go-audit https://github.com/Scribery/aushape
  58. 58. ScaleYour AuditingEvents Philipp Krenn @xeraa

×