Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Open Source infrastructure
specialists in Geneva
J...
2 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Origins: “We want to know everything that
happens ...
3 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Solution 1: lock su and use sudo with logging.
Dra...
4 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
auditd + beats + logstash + ES + Kibana
5 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Auditd presentation
http://itsitrc.blogspot.ch/201...
6 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Delete all previous rules
-D
# Set buffer size
-...
7 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Log all processes
-a exit,always -F arch=b64 -S ...
8 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
9 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/filebeat/filebeat.yml
filebeat:
prospectors...
10 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/logstash/conf.d/beats.conf
input {
beats {...
11 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
i Démo CleverAudit
5 minutes
Technologies :
Upcoming SlideShare
Loading in …5
×

Présentation Clever Audit

Slides de notre présentation de CleverAudit lors de notre dernier Elastic meetup.

  • Login to see the comments

  • Be the first to like this

Présentation Clever Audit

  1. 1. 1 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity Open Source infrastructure specialists in Geneva Jérôme Steunenberg (co-founder) https://www.meetup.com/fr- FR/Geneve-Open-Source-Meetup/ Thank you BI! Thank you Elastic Meetup!
  2. 2. 2 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity Origins: “We want to know everything that happens on our Unix servers” (client request) Translation: “Our auditors want us to know who did what when and where, even for root users”
  3. 3. 3 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity Solution 1: lock su and use sudo with logging. Drawbacks: anyone a little bit skilled can sudo into a program and spawn a shell, then they’re invisible. Solution 2: use an SSH bastion solution (e.g. Wallix, Balabit) that records sessions. Drawbacks: SPOF, complex, licensing per server. Solution 4: other tricks exist, such as using the PROMPT_COMMAND environment variable to log all commands. Drawbacks: very easily circumvented. Solution 3: use a keylogger. Drawbacks: logs passwords, very difficult to search.
  4. 4. 4 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity auditd + beats + logstash + ES + Kibana
  5. 5. 5 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity Auditd presentation http://itsitrc.blogspot.ch/2012/12/the-linux-auditing-system-auditd.html
  6. 6. 6 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity # Delete all previous rules -D # Set buffer size -b 8192 # Make the configuration immutable -- reboot is required to change audit rules -e 2 # Audit all changes to local time -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Audit all changes to identity files -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity ... Auditd sample configuration
  7. 7. 7 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity # Log all processes -a exit,always -F arch=b64 -S execve -k logall -a exit,always -F arch=b32 -S execve -k logall Log all process spawns
  8. 8. 8 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
  9. 9. 9 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity # /etc/filebeat/filebeat.yml filebeat: prospectors: - paths: - /var/log/audisp-simplify input_type: log scan_frequency: 1s registry_file: /var/lib/filebeat/registry output: logstash: hosts: ["localhost:5044"] shipper: logging: files: path: /var/log name: filebeat rotateeverybytes: 10485760 # = 10MB keepfiles: 7 level: info
  10. 10. 10 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity # /etc/logstash/conf.d/beats.conf input { beats { port => 5044 ssl => false } } filter { grok { match => { "message" => 'type=EXECVE key=(logall)? auditid=%{NUMBER:auditid} time="%{TIMESTAMP_ISO8601:time}" hostname="%{HOSTNAME:host}" tty=((?%{WORD:tty})?)? ppid=(% {NUMBER:ppid})? pid=(%{NUMBER:pid})? exe="(%{UNIXPATH:exe})?" name="(%{UNIXPATH:name})?" user=(%{USERNAME:user})? origuser=(%{USERNAME:origuser})? cwd="(%{UNIXPATH:cwd})?" command=% {QUOTEDSTRING:command}' } } date { match => [ "time", "yyyy-MM-dd HH:mm:ssZ" ] } } output { stdout { codec => rubydebug } elasticsearch { hosts => [ "localhost" ] } }
  11. 11. 11 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity i Démo CleverAudit 5 minutes Technologies :

×