Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017
Search
bungoume
August 05, 2017
Technology
29
10k
OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017
osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5
bungoume
August 05, 2017
Tweet
Share
More Decks by bungoume
See All by bungoume
djangocongressjp2023_password_hash
bungoume
2
920
日経電子版でのDjango活用事例紹介 / djangocongressjp2022-nikkei
bungoume
4
3.8k
CircleCIの活用事例とCI高速化/circleci-community-meetup3-speedup
bungoume
3
1.4k
Password Hashing djangocongress 20180519
bungoume
5
3.7k
日経電子版のアプリ開発を支えるログ活用術/nikkei-log-201609
bungoume
1
1.2k
Kibanaで秒間1万件のアクセスを可視化した話/nikkei-kibana-loganalyst2015
bungoume
20
16k
uwsgi-docker-pycon2015
bungoume
11
58k
Ansibleを結構使ってみた/ansible-nikkei-2015
bungoume
32
15k
Dynamic Inventoryと参照変数
bungoume
2
4.7k
Other Decks in Technology
See All in Technology
上手く活用すればコスト削減につながる、ONTAPの Temperature Sensitive Storage Efficiency (TSSE) の紹介
non97
0
220
パソコン音痴な私がモバイル開発界隈でぬくぬく成長している理由
mitchan
0
210
Oracle Database Technology Night #79 - Oracle Database 23ai 新機能 Oracle Advanced Cluster File System (ACFS)
oracle4engineer
PRO
1
140
左手は添えるだけ!?AWS Well-Architected Frameworkが教えてくれる大事なデータの守り方
ohtk79
0
360
組織的なクラウド統制のはじめの一歩 後編
nyankotaro
0
250
BigQueryとCloud Composerを使って大規模バッチ処理をデータパイプラインに再構築する
monotaro
PRO
2
160
Speeeエンジニア組織紹介
speee
0
320
Platform Engineering on Serverless
_kensh
3
440
HeadlessなUIライブラリを利用する価値
plaidtech
PRO
10
2.9k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
39k
二刀流で切り拓くスタートアップとしてのグロース / Growth of a Startup Pioneering with Dual Expertise
oztick139
0
140
ロール・ツール群の開発 / Development of Roles and Tools
ks91
PRO
0
110
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
Building an army of robots
kneath
300
42k
Clear Off the Table
cherdarchuk
86
310k
Designing with Data
zakiwarfel
96
4.9k
WebSockets: Embracing the real-time Web
robhawkes
59
7.1k
BBQ
matthewcrist
80
8.8k
The Invisible Customer
myddelton
114
12k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Into the Great Unknown - MozCon
thekraken
15
1.2k
The Language of Interfaces
destraynor
151
23k
For a Future-Friendly Web
brad_frost
172
9k
Web Components: a chance to create the future
zenorocha
306
41k
Transcript
1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
2 ࣗݾհ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩάੳɾݕࡧAPIɾΠϯϑϥཧ Python, Elasticsearch, Docker
3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀʹ͍ۙͷ
4 ηΩϡϦςΟڴҖ վ͟Μɾใྲྀग़ ϥϯαϜΣΞ etc… ɾ෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞΥʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)
੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ֎෦ͱ෦ ྆ํʹજΉ
ɾࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷྨ ɾ༧ɿΞΫηε੍ޚͳͲ ɾݕɿΛݕग़ɺ෮چͷख͕͔ΓΛه ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ͢ Ұൠʹ4ͭʹྨ ࢭɾ༧ͱ͍ͬͨޚͷରࡦ͕ଟ͍
6 ৵ೖͷؾ͖ͮํ ɾࣾͷਓ͕ෆ৹ͳʹؾ͘ ɾ֎෦ͷͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ͍߹ΘͤͰൃ֮ ɾ߈ܸऀ͕ࣗڭ͑ͯ͘ΕΔ ← ͕֎෦͔Βͷࢦఠ*ͱ͍͏ * FireEye
M-Trends 2017: ηΩϡϦςΟ৵͓ΑͼαΠόʔ߈ܸͷؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html
7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩάIDSͰෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟͰݕ ֎ͱαʔόͷதؒͰ͋ΔఔकΒΕ͍ͯΔ ࠷ޙϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ࠷ݶͷϩάऩू͓͖͍ͯͨ͠
8 ෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜཧऀͷೝূϩά͕ॏཁ ·ͣαʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠
9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹهఀࢭɾॻ͖͑Ͱ͖ͯ͠·͏ ҾͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ੍໊ݶ ࠪϩάͱͯ͠ྑͦ͞͏
10 audit log # systemctl start auditd # auditctl -a
always,exit -F arch=b64 -S execve ls ͚ͩͰෳߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log
11 audit logΛ׆༻͍ͨ͠ ɾgo-audit SlackͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔαՃ!
ɾosquery ↑ࠓճ͜Ε ࢲͷ͍ͬͯΔൣғͰҎԼͷύʔα͕ศརͦ͏
12 osquery FacebookͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺࢹʹར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰར༻Մೳ :
OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit eventsUbuntu,CentOSͷΈ
13 osquery 2017/8/3 ݱࡏ githubͷstar9501 Linux Security Tools (Top 100)
*ͷ10൪ʹհ * https://linuxsecurity.expert/security-tools/top-100/
14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/
15 ࿅श: macͰosquery $ brew install osquery
16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ͔Δ
17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart
18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ
19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events vim /etc/osquery/osquery.conf
20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ߹ ඞཁ ʢ:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU༻͕૿͑Δʣ
21 process_events ϩά lsͷ࣮ߦϩά
22 socket_events ϩά
23 ϑΝΠϧ߹ੑࢹ ࡞/มߋ/আΛϑΝΠϧύε୯ҐͰࢹ vim /etc/osquery/osquery.conf
24 ϑΝΠϧ߹ੑࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷସʹͳΔ͔ echo “message” >> /etc/test ޙͷϩά
25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔతͰܾΊ͚ͨͲ ϗετܕIDSͱͯ͠ेػೳͦ͠͏ υΩϡϝϯτॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ͍͍͢ʢ͔ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ
26 osquerydͷΈ(ͬ͘͟Γ) ෦ͰRocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osquerydఆظΫΤϦΛ࣮ߦ࣌ લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍߹ - ͯ͢ͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ߹
- 2ͭͷσʔληοτΛൺֱ͠ɺࠩΛग़ྗ
27 osquerydͷΈ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯͨ͠͠Β௨͞Εͳ͍ͷͰʁ ϑΝΠϧ߹ੑࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷใ͕อ࣋͞ΕΔ (fileͰinotify͓ΑͼFSEventsΛ༻)
28 ԿΛࢹରʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυΣΞଓϩά
29 ԿΛࢹରʹ͢Δ͔() ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧΣΞ͕ೖΔέʔε͕ۙʹ ɾhomebrewϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏
5ສਓ͕͍ͬͯΔ Chrome ֦ுͷϚϧΣΞٙ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτΣΞʹΑ͘ࣅ໊ͨલͷϚϧΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537
30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹΫΤϦύοΫ༻ҙ͞Ε͍ͯΔ hardware-monitoring
31 osquery.conf ઃఆྫ ·ͣPack + ͏ͱ͜Ζ͔Β
32 LogrotateΕͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotateඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ͋ΔͷͰhourly͕ྑ͍͔
33 ϩάΛूΊΔ S3
34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯
35 Elasticsearchϩάอଘ
36 ϢʔβͷίϚϯυཤྺ
37 sshdϩάΠϯࢼߦ
38 ϩάͷ͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯɺ ElastalertWatcherΛར༻ͯ͠ ҟৗͳૢ࡞ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨Մೳʹ
39 νϟοτπʔϧʹ௨ ϩάΠϯΠϕϯτΛSlackʹ௨͢Δ ௨͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏తͰαʔόૢ࡞͍ͯ͠Δ͔ ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ
40 ҙͳͲ ɾosqueryͷ։ൃ׆ൃ ɹɾҎલDisk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ100MB΄Ͳফඅ ɾsocketࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ?) ɾosquerydεέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱશੑগ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛΈ߹Θ͍ͤͯ·͠ΐ͏
41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟ΜϩετΛճආ͢Δػߏݕ౼͠Α͏ ɾ߈ܸͷ༧෮چͷखॱཱ֬େ
44 osqueryۜͷؙͰͳ͍ Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰͳ͘
45 osquery ຊͰ͍͖ͬͯ·͠ΐ͏