1. 1 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Open Source infrastructure
specialists in Geneva
Jérôme Steunenberg (co-founder)
https://www.meetup.com/fr-
FR/Geneve-Open-Source-Meetup/
Thank you BI!
Thank you Elastic Meetup!
2. 2 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Origins: “We want to know everything that
happens on our Unix servers” (client request)
Translation: “Our auditors want us to know
who did what when and where, even for
root users”
3. 3 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Solution 1: lock su and use sudo with logging.
Drawbacks: anyone a little bit skilled can sudo into a
program and spawn a shell, then they’re invisible.
Solution 2: use an SSH bastion solution (e.g. Wallix,
Balabit) that records sessions. Drawbacks: SPOF,
complex, licensing per server.
Solution 4: other tricks exist, such as using the
PROMPT_COMMAND environment variable to log all
commands. Drawbacks: very easily circumvented.
Solution 3: use a keylogger. Drawbacks: logs
passwords, very difficult to search.
4. 4 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
auditd + beats + logstash + ES + Kibana
5. 5 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Auditd presentation
http://itsitrc.blogspot.ch/2012/12/the-linux-auditing-system-auditd.html
6. 6 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Delete all previous rules
-D
# Set buffer size
-b 8192
# Make the configuration immutable -- reboot is required to change audit rules
-e 2
# Audit all changes to local time
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# Audit all changes to identity files
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
...
Auditd sample configuration
7. 7 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Log all processes
-a exit,always -F arch=b64 -S execve -k logall
-a exit,always -F arch=b32 -S execve -k logall
Log all process spawns
8. 8 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
9. 9 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/filebeat/filebeat.yml
filebeat:
prospectors:
-
paths:
- /var/log/audisp-simplify
input_type: log
scan_frequency: 1s
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["localhost:5044"]
shipper:
logging:
files:
path: /var/log
name: filebeat
rotateeverybytes: 10485760 # = 10MB
keepfiles: 7
level: info