Slides de notre présentation de CleverAudit lors de notre dernier Elastic meetup.

1. 1 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Open Source infrastructure
specialists in Geneva
Jérôme Steunenberg (co-founder)
https://www.meetup.com/fr-
FR/Geneve-Open-Source-Meetup/
Thank you BI!
Thank you Elastic Meetup!

2. 2 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Origins: “We want to know everything that
happens on our Unix servers” (client request)
Translation: “Our auditors want us to know
who did what when and where, even for
root users”

3. 3 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Solution 1: lock su and use sudo with logging.
Drawbacks: anyone a little bit skilled can sudo into a
program and spawn a shell, then they’re invisible.
Solution 2: use an SSH bastion solution (e.g. Wallix,
Balabit) that records sessions. Drawbacks: SPOF,
complex, licensing per server.
Solution 4: other tricks exist, such as using the
PROMPT_COMMAND environment variable to log all
commands. Drawbacks: very easily circumvented.
Solution 3: use a keylogger. Drawbacks: logs
passwords, very difficult to search.

4. 4 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
auditd + beats + logstash + ES + Kibana

5. 5 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
Auditd presentation
http://itsitrc.blogspot.ch/2012/12/the-linux-auditing-system-auditd.html

6. 6 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Delete all previous rules
-D
# Set buffer size
-b 8192
# Make the configuration immutable -- reboot is required to change audit rules
-e 2
# Audit all changes to local time
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# Audit all changes to identity files
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
...
Auditd sample configuration

7. 7 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# Log all processes
-a exit,always -F arch=b64 -S execve -k logall
-a exit,always -F arch=b32 -S execve -k logall
Log all process spawns

8. 8 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity

9. 9 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/filebeat/filebeat.yml
filebeat:
prospectors:
-
paths:
- /var/log/audisp-simplify
input_type: log
scan_frequency: 1s
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["localhost:5044"]
shipper:
logging:
files:
path: /var/log
name: filebeat
rotateeverybytes: 10485760 # = 10MB
keepfiles: 7
level: info

10. 10 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
# /etc/logstash/conf.d/beats.conf
input {
beats {
port => 5044
ssl => false
}
}
filter {
grok {
match => { "message" => 'type=EXECVE key=(logall)? auditid=%{NUMBER:auditid}
time="%{TIMESTAMP_ISO8601:time}" hostname="%{HOSTNAME:host}" tty=((?%{WORD:tty})?)? ppid=(%
{NUMBER:ppid})? pid=(%{NUMBER:pid})? exe="(%{UNIXPATH:exe})?" name="(%{UNIXPATH:name})?"
user=(%{USERNAME:user})? origuser=(%{USERNAME:origuser})? cwd="(%{UNIXPATH:cwd})?" command=%
{QUOTEDSTRING:command}' }
}
date {
match => [ "time", "yyyy-MM-dd HH:mm:ssZ" ]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost" ]
}
}

11. 11 ES as a security auditing toolElastic Meetup 20161026 – Blue Infinity
i Démo CleverAudit
5 minutes
Technologies :