Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auditd for the Masses

Philipp Krenn
September 29, 2018
Programming
2
370

Auditd for the Masses

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.

Philipp Krenn

September 29, 2018
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.9k
360° Monitoring of Your Microservices
xeraa
7
3.2k
Scale Your Metrics with Elasticsearch
xeraa
4
120
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
260
Hands-On ModSecurity and Logging
xeraa
2
120
Centralized Logging Patterns
xeraa
1
920
Dashboards for Your Management with Kibana Canvas
xeraa
1
440
Make Your Data FABulous
xeraa
3
750

Other Decks in Programming

See All in Programming
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
250
Front-end application development, Symfony-style(s)
dunglas
2
1.9k
Doctrine ORMでValue Objectを扱う方法4選 #phpstudy / 4 ways to handle Value Objects with Doctrine ORM
77web
4
110
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
100
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
1.2k
PostmanでAPIの動作確認が楽になった話
h455h1
0
130
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
480
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
15k
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.3k
元気予報
suu_mire0726
0
860

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
Designing the Hi-DPI Web
ddemaree
276
33k
How GitHub (no longer) Works
holman
304
140k
Become a Pro
speakerdeck
PRO
10
4.5k
Embracing the Ebb and Flow
colly
79
4.1k
Agile that works and the tools we love
rasmusluckow
324
20k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Documentation Writing (for coders)
carmenintech
59
3.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
321
20k

Transcript

  1. Scale Your Auditing Events Philipp Krenn̴̴̴̴̴@xeraa

  2. None
  3. None

  4. No silver bullet

  5. uditd https://github.com/linux-audit

  6. "auditd is the userspace component to the Linux Auditing System.

    It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."

  7. Monitor File and network access System calls Commands run by

    a user Security events

  8. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

  9. Demo

  10. Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/sec- understanding_audit_log_files

  11. More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules

  12. Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938

  13. None

  14. Problem How to centralize?

  15. Developer

  16. Disclaimer I build highly monitored Hello World apps

  17. None
  18. None
  19. None
  20. None
  21. None
  22. None

  23. Filebeat Module: Auditd

  24. Demo

  25. !

  26. !"

  27. https://cloud.elastic.co

  28. Auditbeat

  29. Auditd Module Correlate related events Resolve UIDs to user names

    Native Elasticsearch integration

  30. Auditd Module eBPF powers on older kernels Run side by

    side with Auditd Easier configuration

  31. Docker metadata enrichment

  32. Demo

  33. File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

  34. hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512,

    sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64

  35. Demo

  36. Conclusion

  37. None

  38. Auditd Auditbeat Logs, Dashboards,...

  39. Try https://dashboard.xeraa.wtf SSH: [email protected]̴secret

  40. Code https://github.com/xeraa/auditbeat- in-action

  41. Questions? Philipp Krenn̴̴̴̴̴@xeraa PS: Sticker