Auditd for the Masses

Ce4685da897c912aa41a815435b40a5a?s=47 Philipp Krenn
September 29, 2018

Auditd for the Masses

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.

Ce4685da897c912aa41a815435b40a5a?s=128

Philipp Krenn

September 29, 2018
Tweet

Transcript

  1. Scale Your Auditing Events Philipp Krenn̴̴̴̴̴@xeraa

  2. None
  3. None
  4. No silver bullet

  5. uditd https://github.com/linux-audit

  6. "auditd is the userspace component to the Linux Auditing System.

    It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
  7. Monitor File and network access System calls Commands run by

    a user Security events
  8. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

  9. Demo

  10. Understanding Logs https://access.redhat.com/documentation/en-us/ red_hat_enterprise_linux/7/html/security_guide/sec- understanding_audit_log_files

  11. More Rules https://github.com/linux-audit/audit-userspace/tree/master/rules

  12. Namespaces WIP https://github.com/linux-audit/audit-kernel/issues/ 32#issuecomment-395052938

  13. None
  14. Problem How to centralize?

  15. Developer

  16. Disclaimer I build highly monitored Hello World apps

  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. Filebeat Module: Auditd

  24. Demo

  25. !

  26. !"

  27. https://cloud.elastic.co

  28. Auditbeat

  29. Auditd Module Correlate related events Resolve UIDs to user names

    Native Elasticsearch integration
  30. Auditd Module eBPF powers on older kernels Run side by

    side with Auditd Easier configuration
  31. Docker metadata enrichment

  32. Demo

  33. File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)

  34. hash_types blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384, sha512,

    sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
  35. Demo

  36. Conclusion

  37. None
  38. Auditd Auditbeat Logs, Dashboards,...

  39. Try https://dashboard.xeraa.wtf SSH: elastic-user@xeraa.wtf̴secret

  40. Code https://github.com/xeraa/auditbeat- in-action

  41. Questions? Philipp Krenn̴̴̴̴̴@xeraa PS: Sticker