scale your auditing events - pass the salt conference · "auditd is the userspace component to...
TRANSCRIPT
![Page 1: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/1.jpg)
Scale YourAuditing Events
Philipp Krenn̴̴̴̴̴@xeraa
![Page 2: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/2.jpg)
![Page 3: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/3.jpg)
No silver bullet !
![Page 5: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/5.jpg)
"auditd is the userspace component to the Linux Auditing System. It's
responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
![Page 6: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/6.jpg)
MonitorFile and network access
System callsCommands run by a user
Security events
![Page 7: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/7.jpg)
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
![Page 8: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/8.jpg)
Demo
![Page 9: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/9.jpg)
Understanding Logshttps://access.redhat.com/documentation/en-us/
red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
![Page 10: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/10.jpg)
More Ruleshttps://github.com/linux-audit/audit-userspace/tree/master/rules
![Page 11: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/11.jpg)
Namespaces WIPhttps://github.com/linux-audit/audit-kernel/issues/
32#issuecomment-395052938
![Page 12: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/12.jpg)
![Page 13: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/13.jpg)
Problem
How to centralize?
![Page 14: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/14.jpg)
Developer !
![Page 15: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/15.jpg)
Disclaimer
I build highly monitored Hello World apps
![Page 16: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/16.jpg)
![Page 17: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/17.jpg)
![Page 18: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/18.jpg)
![Page 19: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/19.jpg)
![Page 20: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/20.jpg)
![Page 21: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/21.jpg)
Filebeat Module: Auditd
![Page 22: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/22.jpg)
Demo
![Page 23: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/23.jpg)
!
"
![Page 24: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/24.jpg)
!"
![Page 26: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/26.jpg)
Auditbeat
![Page 27: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/27.jpg)
Auditd ModuleCorrelate related events
Resolve UIDs to user namesNative Elasticsearch integration
![Page 28: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/28.jpg)
Auditd ModuleeBPF powers on older kernels
Easier configurationWritten in Golang
![Page 29: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/29.jpg)
![Page 30: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/30.jpg)
go-libaudithttps://github.com/elastic/go-libaudit
go-libaudit is a library for communicating with the Linux Audit Framework
![Page 31: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/31.jpg)
Demo
![Page 32: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/32.jpg)
System ModuleEasier configuration for host, process,
socket, userAdded in 6.6 — not based on Auditd
![Page 33: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/33.jpg)
Demo
![Page 34: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/34.jpg)
File Integrity Moduleinotify (Linux)
fsevents (macOS)ReadDirectoryChangesW (Windows)
![Page 35: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/35.jpg)
hash_typesblake2b_256, blake2b_384, blake2b_512, md5, sha1,
sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, xxh64
![Page 36: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/36.jpg)
Demo
![Page 37: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/37.jpg)
Elastic SIEM
![Page 39: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/39.jpg)
![Page 40: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/40.jpg)
Demo
![Page 41: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/41.jpg)
Conclusion
![Page 42: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/42.jpg)
![Page 43: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/43.jpg)
AuditdAuditbeat
Logs, Dashboards, SIEM
![Page 44: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/44.jpg)
![Page 45: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/45.jpg)
Codehttps://github.com/xeraa/
auditbeat-in-action
![Page 46: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/46.jpg)
Similar Solutionshttps://github.com/slackhq/go-audithttps://github.com/Scribery/aushape
![Page 47: Scale Your Auditing Events - Pass the SALT Conference · "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing](https://reader035.vdocuments.us/reader035/viewer/2022062508/6021b70d66404f2903568f5c/html5/thumbnails/47.jpg)
Questions?Philipp Krenn̴̴̴̴̴@xeraa
PS: Sticker