OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

by bungoume

Slide 1

Slide 1 text

1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

Slide 2

Slide 2 text

2 ࣗݾ঺հ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ Python, Elasticsearch, Docker

Slide 3

Slide 3 text

3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥ؅ཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

Slide 4

Slide 4 text

4 ηΩϡϦςΟڴҖ վ͟Μɾ৘ใྲྀग़ ϥϯαϜ΢ΣΞ etc… ɾ಺෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞ΢Υʔϧ IDS/IPS/WAF αʔό(ػີσʔλ) ੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ͸֎෦ͱ಺෦ ྆ํʹજΉ

Slide 5

Slide 5 text

ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷ෼ྨ ɾ༧๷ɿΞΫηε੍ޚͳͲ ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥ ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢ Ұൠʹ4ͭʹ෼ྨ ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

Slide 6

Slide 6 text

6 ৵ೖ΁ͷؾ͖ͮํ ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘ ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮ ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ← ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋ * FireEye M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ https://www.ﬁreeye.jp/current-threats/annual-threat-report/mtrends.html

Slide 7

Slide 7 text

7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌ ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

Slide 8

Slide 8 text

8 ಺෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜ؅ཧऀͷೝূϩά͕ॏཁ ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

Slide 9

Slide 9 text

9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏ Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ ؂ࠪϩάͱͯ͠ྑͦ͞͏

Slide 10

Slide 10 text

10 audit log # systemctl start auditd # auditctl -a always,exit -F arch=b64 -S execve ls ͚ͩͰෳ਺ߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log

Slide 11

Slide 11 text

11 audit logΛ׆༻͍ͨ͠ ɾgo-audit Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ! ɾosquery ↑ࠓճ͸͜Ε ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏

Slide 12

Slide 12 text

12 osquery Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ ஫: OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ

Slide 13

Slide 13 text

13 osquery 2017/8/3 ݱࡏ githubͷstar͸9501 Linux Security Tools (Top 100) *ͷ10൪໨ʹ঺հ * https://linuxsecurity.expert/security-tools/top-100/

Slide 14

Slide 14 text

14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/

Slide 15

Slide 15 text

15 ࿅श: macͰosquery $ brew install osquery

Slide 16

Slide 16 text

16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ෼͔Δ

Slide 17

Slide 17 text

17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart

Slide 18

Slide 18 text

18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

Slide 19

Slide 19 text

19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋ vim /etc/osquery/osquery.conf

Slide 20

Slide 20 text

20 audit events /etc/osquery/osquery.ﬂags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ৔߹͸ ΋ඞཁ  ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

Slide 21

Slide 21 text

21 process_events ϩά lsͷ࣮ߦϩά

Slide 22

Slide 22 text

22 socket_events ϩά

Slide 23

Slide 23 text

23 ϑΝΠϧ੔߹ੑ؂ࢹ ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ vim /etc/osquery/osquery.conf

Slide 24

Slide 24 text

24 ϑΝΠϧ੔߹ੑ؂ࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋ echo “message” >> /etc/test ޙͷϩά

Slide 25

Slide 25 text

25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ  ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏ υΩϡϝϯτ΋ॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

Slide 26

Slide 26 text

26 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌  લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍৔߹ - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹ - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ

Slide 27

Slide 27 text

27 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ (ﬁleͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

Slide 28

Slide 28 text

28 ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυ΢ΣΞ઀ଓϩά

Slide 29

Slide 29 text

29 ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤) ɾChrome, ﬁrefoxͷplugin ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ ɾhomebrew౳ϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏ 5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537

Slide 30

Slide 30 text

30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ hardware-monitoring

Slide 31

Slide 31 text

31 osquery.conf ઃఆྫ ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

Slide 32

Slide 32 text

32 Logrotate΋๨Εͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

Slide 33

Slide 33 text

33 ϩάΛूΊΔ S3

Slide 34

Slide 34 text

34 FluentdͰύʔε JSONͳͷͰﬂuentdͰͷύʔε͕؆୯

Slide 35

Slide 35 text

35 Elasticsearch΁ϩάอଘ

Slide 36

Slide 36 text

36 ϢʔβͷίϚϯυཤྺ

Slide 37

Slide 37 text

37 sshdϩάΠϯࢼߦ

Slide 38

Slide 38 text

38 ϩάͷ࢖͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ Elastalert΍WatcherΛར༻ͯ͠ ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

Slide 39

Slide 39 text

39 νϟοτπʔϧʹ௨஌ ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔  ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

Slide 40

Slide 40 text

40 ஫ҙ఺ͳͲ ɾosqueryͷ։ൃ͸׆ൃ ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ͸100MB΄Ͳফඅ ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?) ɾosqueryd͸εέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

Slide 41

Slide 41 text

41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

Slide 42

Slide 42 text

42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

Slide 43

Slide 43 text

43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏ ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

Slide 44

Slide 44 text

44 osquery͸ۜͷ஄ؙͰ͸ͳ͍ ૊Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰ͸ͳ͘

Slide 45

Slide 45 text

45 osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏