Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

bungoume
August 05, 2017
Technology
29
11k

 OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5

bungoume

August 05, 2017
Tweet

More Decks by bungoume

See All by bungoume
djangocongressjp2023_password_hash
bungoume
2
1.3k
日経電子版でのDjango活用事例紹介 / djangocongressjp2022-nikkei
bungoume
4
5.4k
CircleCIの活用事例とCI高速化/circleci-community-meetup3-speedup
bungoume
3
1.5k
Password Hashing djangocongress 20180519
bungoume
5
4k
日経電子版のアプリ開発を 支えるログ活用術/nikkei-log-201609
bungoume
1
1.3k
Kibanaで秒間1万件のアクセスを可視化した話/nikkei-kibana-loganalyst2015
bungoume
20
17k
uwsgi-docker-pycon2015
bungoume
10
60k
Ansibleを結構使ってみた/ansible-nikkei-2015
bungoume
32
15k
Dynamic Inventoryと参照変数
bungoume
2
4.9k

Other Decks in Technology

See All in Technology
日経電子版 for Android の技術的課題と取り組み(令和最新版)/android-20250423
nikkei_engineer_recruiting
0
330
AIと開発者の共創: エージェント時代におけるAIフレンドリーなDevOpsの実践
bicstone
1
310
更新系と状態
uhyo
7
1.5k
AWSで作るセキュアな認証基盤with OAuth mTLS / Secure Authentication Infrastructure with OAuth mTLS on AWS
kaminashi
0
160
AWS Control Towerを 数年運用してきての気づきとこれから/aws-controltower-ops-tips
tadayukinakamura
0
150
Creating Awesome Change in SmartNews
martin_lover
1
280
QA/SDETの現在と、これからの挑戦
imtnd
0
120
AIエージェント開発手法と業務導入のプラクティス
ykosaka
1
120
技術者はかっこいいものだ!!~キルラキルから学んだエンジニアの生き方~
masakiokuda
2
270
Running JavaScript within Ruby
hmsk
3
330
PicoRabbit: a Tiny Presentation Device Powered by Ruby
harukasan
PRO
2
210
フロントエンドも盛り上げたい!フロントエンドCBとAmplifyの軌跡
mkdev10
2
280

Featured

See All Featured
Practical Orchestrator
shlominoach
186
11k
How GitHub (no longer) Works
holman
314
140k
The Cult of Friendly URLs
andyhume
78
6.3k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Optimizing for Happiness
mojombo
377
70k
GraphQLとの向き合い方2022年版
quramy
46
14k
Git: the NoSQL Database
bkeepers
PRO
430
65k
How STYLIGHT went responsive
nonsquared
99
5.5k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Adopting Sorbet at Scale
ufuk
76
9.3k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k

Transcript

  1. 1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  2. 2 ࣗݾ঺հ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ Python, Elasticsearch, Docker

  3. 3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥ؅ཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

  4. 4 ηΩϡϦςΟڴҖ վ͟Μɾ৘ใྲྀग़ ϥϯαϜ΢ΣΞ etc… ɾ಺෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞ΢Υʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)

    ੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ͸֎෦ͱ಺෦ ྆ํʹજΉ

  5. ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷ෼ྨ ɾ༧๷ɿΞΫηε੍ޚͳͲ ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥ ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢ Ұൠʹ4ͭʹ෼ྨ ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

  6. 6 ৵ೖ΁ͷؾ͖ͮํ ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘ ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮ ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ← ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋ * FireEye

    M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html

  7. 7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌ ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

  8. 8 ಺෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜ؅ཧऀͷೝূϩά͕ॏཁ ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

  9. 9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏ Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ ؂ࠪϩάͱͯ͠ྑͦ͞͏

  10. 10 audit log # systemctl start auditd # auditctl -a

    always,exit -F arch=b64 -S execve ls ͚ͩͰෳ਺ߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log

  11. 11 audit logΛ׆༻͍ͨ͠ ɾgo-audit Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ!

    ɾosquery ↑ࠓճ͸͜Ε ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏

  12. 12 osquery Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ ஫:

    OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ

  13. 13 osquery 2017/8/3 ݱࡏ githubͷstar͸9501 Linux Security Tools (Top 100)

    *ͷ10൪໨ʹ঺հ * https://linuxsecurity.expert/security-tools/top-100/

  14. 14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/

  15. 15 ࿅श: macͰosquery $ brew install osquery

  16. 16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ෼͔Δ

  17. 17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart

  18. 18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

  19. 19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋ vim /etc/osquery/osquery.conf

  20. 20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ৔߹͸ ΋ඞཁ
 ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

  21. 21 process_events ϩά lsͷ࣮ߦϩά

  22. 22 socket_events ϩά

  23. 23 ϑΝΠϧ੔߹ੑ؂ࢹ ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ vim /etc/osquery/osquery.conf

  24. 24 ϑΝΠϧ੔߹ੑ؂ࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋ echo “message” >> /etc/test ޙͷϩά

  25. 25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ
 ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏ υΩϡϝϯτ΋ॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

  26. 26 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌
 લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍৔߹ - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹

    - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ

  27. 27 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ (fileͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

  28. 28 ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυ΢ΣΞ઀ଓϩά

  29. 29 ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤) ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ ɾhomebrew౳ϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏

    5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537

  30. 30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ hardware-monitoring

  31. 31 osquery.conf ઃఆྫ ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

  32. 32 Logrotate΋๨Εͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

  33. 33 ϩάΛूΊΔ S3

  34. 34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯

  35. 35 Elasticsearch΁ϩάอଘ

  36. 36 ϢʔβͷίϚϯυཤྺ

  37. 37 sshdϩάΠϯࢼߦ

  38. 38 ϩάͷ࢖͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ Elastalert΍WatcherΛར༻ͯ͠ ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

  39. 39 νϟοτπʔϧʹ௨஌ ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔
 ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

  40. 40 ஫ҙ఺ͳͲ ɾosqueryͷ։ൃ͸׆ൃ ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ͸100MB΄Ͳফඅ ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?) ɾosqueryd͸εέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

  41. 41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  42. 42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  43. 43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏ ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

  44. 44 osquery͸ۜͷ஄ؙͰ͸ͳ͍ ૊Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰ͸ͳ͘

  45. 45 osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏