Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ScaleYour
AuditingEvents
Philipp Krenn @xeraa
Security incidents come in three levels
FYI,WTF,andOMG
Learn about a breach
Fromthepressorusers
Learn about a breach
Attackersaskingforaransom
Learn about a breach
Cloudprovider'sbill
Learn about a breach
Yourselfafterthefact
Learn about a breach
Yourself&youcanprovenoharm
Nosilverbullet
uditdhttps://github.com/linux-audit
"auditd is the userspace component to
the Linux Auditing System. It's
responsible for writing audit records to
the disk. V...
Monitor
File and network access
System calls
Commands run by a user
Security events
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
Demo
UnderstandingLogs
https://access.redhat.com/documentation/en-us/
red_hat_enterprise_linux/7/html/security_guide/sec-
under...
MoreRules
https://github.com/linux-audit/audit-userspace/tree/master/rules
ActualRules
https://github.com/mtkirby/audisp-simplify
NamespacesWIP
https://github.com/linux-audit/audit-kernel/issues/
32#issuecomment-395052938
Problem
Howtocentralize?
Developer
Disclaimer
IbuildhighlymonitoredHello
Worldapps
FilebeatModule:Auditd
Demo
!
!"
https://cloud.elastic.co
Auditbeat
AuditdModule
Correlate related events
Resolve UIDs to user names
Native Elasticsearch integration
AuditdModule
eBPF powers on older kernels
Easier configuration
Written in Golang
go-libaudit
https://github.com/elastic/go-libaudit
go-libaudit is a library for communicating with the Linux Audit
Framewo...
Demo
SystemModule
Simpler syntax for host, process,
socket, user
Added in 6.6 — not based on Auditd
Demo
FileIntegrityModule
inotify (Linux)
fsevents (macOS)
ReadDirectoryChangesW (Windows)
hash_types
blake2b_256, blake2b_384, blake2b_512, md5, sha1,
sha224, sha256, sha384, sha512, sha512_224, sha512_256,
sha3_...
Demo
RunningonKubernetes
Where to run it
DaemonSet
How to run it
https://github.com/elastic/beats/tree/master/deploy/kubernetes/
auditbeat
add_docker_metadata
add_kubernetes_metadata
Kubernetes Audit Logs
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- "RequestReceived"
rules:
- level: RequestResponse
resources:
- grou...
ElasticSIEM
ElasticCommonSchema
https://github.com/elastic/ecs
---
- name: base
root: true
title: Base
group: 1
short: All fields defined directly at the top level
description: >
The `b...
Demo
Scale
! "
ILM
Index Lifecycle Management
Features & Order
https://github.com/elastic/elasticsearch/blob/7.4/x-pack/plugin/core/src/main/java/org/elasticsearch/xpac...
FrozenIndizes
ElasticEndpoint
Endpoint
PS:MachineLearningaka Anomaly Detection
Conclusion
Topics
Auditd
Auditbeat
Scale, Kubernetes, SIEM,...
Code
https://github.com/xeraa/
auditbeat-in-action
SimilarSolutions
https://github.com/slackhq/go-audit
https://github.com/Scribery/aushape
ScaleYour
AuditingEvents
Philipp Krenn @xeraa
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
Upcoming SlideShare
Loading in …5
×

DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security-relevant, and explore them in Elastic's free SIEM.

  • Be the first to comment

  • Be the first to like this

DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events

  1. 1. ScaleYour AuditingEvents Philipp Krenn @xeraa
  2. 2. Security incidents come in three levels FYI,WTF,andOMG
  3. 3. Learn about a breach Fromthepressorusers
  4. 4. Learn about a breach Attackersaskingforaransom
  5. 5. Learn about a breach Cloudprovider'sbill
  6. 6. Learn about a breach Yourselfafterthefact
  7. 7. Learn about a breach Yourself&youcanprovenoharm
  8. 8. Nosilverbullet
  9. 9. uditdhttps://github.com/linux-audit
  10. 10. "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
  11. 11. Monitor File and network access System calls Commands run by a user Security events
  12. 12. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
  13. 13. Demo
  14. 14. UnderstandingLogs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/sec- understanding_audit_log_files
  15. 15. MoreRules https://github.com/linux-audit/audit-userspace/tree/master/rules
  16. 16. ActualRules https://github.com/mtkirby/audisp-simplify
  17. 17. NamespacesWIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938
  18. 18. Problem Howtocentralize?
  19. 19. Developer
  20. 20. Disclaimer IbuildhighlymonitoredHello Worldapps
  21. 21. FilebeatModule:Auditd
  22. 22. Demo
  23. 23. !
  24. 24. !"
  25. 25. https://cloud.elastic.co
  26. 26. Auditbeat
  27. 27. AuditdModule Correlate related events Resolve UIDs to user names Native Elasticsearch integration
  28. 28. AuditdModule eBPF powers on older kernels Easier configuration Written in Golang
  29. 29. go-libaudit https://github.com/elastic/go-libaudit go-libaudit is a library for communicating with the Linux Audit Framework
  30. 30. Demo
  31. 31. SystemModule Simpler syntax for host, process, socket, user Added in 6.6 — not based on Auditd
  32. 32. Demo
  33. 33. FileIntegrityModule inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
  34. 34. hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
  35. 35. Demo
  36. 36. RunningonKubernetes
  37. 37. Where to run it DaemonSet
  38. 38. How to run it https://github.com/elastic/beats/tree/master/deploy/kubernetes/ auditbeat
  39. 39. add_docker_metadata add_kubernetes_metadata
  40. 40. Kubernetes Audit Logs https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
  41. 41. apiVersion: audit.k8s.io/v1 kind: Policy omitStages: - "RequestReceived" rules: - level: RequestResponse resources: - group: "" resources: ["pods"] - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"]
  42. 42. ElasticSIEM
  43. 43. ElasticCommonSchema https://github.com/elastic/ecs
  44. 44. --- - name: base root: true title: Base group: 1 short: All fields defined directly at the top level description: > The `base` field set contains all fields which are on the top level. These fields are common across all types of events. type: group fields: - name: "@timestamp" type: date level: core required: true example: "2016-05-23T08:05:34.853Z" short: Date/time when the event originated. description: > Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
  45. 45. Demo
  46. 46. Scale
  47. 47. ! "
  48. 48. ILM Index Lifecycle Management
  49. 49. Features & Order https://github.com/elastic/elasticsearch/blob/7.4/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ilm/TimeseriesLifecycleType.java static final List<String> ORDERED_VALID_HOT_ACTIONS = Arrays.asList( SetPriorityAction.NAME, UnfollowAction.NAME, RolloverAction.NAME ); static final List<String> ORDERED_VALID_WARM_ACTIONS = Arrays.asList( SetPriorityAction.NAME, UnfollowAction.NAME, ReadOnlyAction.NAME, AllocateAction.NAME, ShrinkAction.NAME, ForceMergeAction.NAME ); static final List<String> ORDERED_VALID_COLD_ACTIONS = Arrays.asList( SetPriorityAction.NAME, UnfollowAction.NAME, AllocateAction.NAME, FreezeAction.NAME ); static final List<String> ORDERED_VALID_DELETE_ACTIONS = Arrays.asList( DeleteAction.NAME );
  50. 50. FrozenIndizes
  51. 51. ElasticEndpoint
  52. 52. Endpoint
  53. 53. PS:MachineLearningaka Anomaly Detection
  54. 54. Conclusion
  55. 55. Topics Auditd Auditbeat Scale, Kubernetes, SIEM,...
  56. 56. Code https://github.com/xeraa/ auditbeat-in-action
  57. 57. SimilarSolutions https://github.com/slackhq/go-audit https://github.com/Scribery/aushape
  58. 58. ScaleYour AuditingEvents Philipp Krenn @xeraa

×