Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017
Search
bungoume
August 05, 2017
Technology
29
11k
OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017
osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5
bungoume
August 05, 2017
Tweet
Share
More Decks by bungoume
See All by bungoume
djangocongressjp2023_password_hash
bungoume
2
1.3k
日経電子版でのDjango活用事例紹介 / djangocongressjp2022-nikkei
bungoume
4
5.7k
CircleCIの活用事例とCI高速化/circleci-community-meetup3-speedup
bungoume
3
1.5k
Password Hashing djangocongress 20180519
bungoume
5
4k
日経電子版のアプリ開発を支えるログ活用術/nikkei-log-201609
bungoume
1
1.4k
Kibanaで秒間1万件のアクセスを可視化した話/nikkei-kibana-loganalyst2015
bungoume
20
17k
uwsgi-docker-pycon2015
bungoume
10
60k
Ansibleを結構使ってみた/ansible-nikkei-2015
bungoume
32
15k
Dynamic Inventoryと参照変数
bungoume
2
4.9k
Other Decks in Technology
See All in Technology
新卒3年目の後悔〜機械学習モデルジョブの運用を頑張った話〜
kameitomohiro
0
390
BigQuery Remote FunctionでLooker Studioをインタラクティブ化
cuebic9bic
2
230
ひとり情シスなCTOがLLMと始めるオペレーション最適化 / CTO's LLM-Powered Ops
yamitzky
0
380
DenoとJSRで実現する最速MCPサーバー開発記 / Building MCP Servers at Lightning Speed with Deno and JSR
yamanoku
1
280
AWS アーキテクチャ作図入門/aws-architecture-diagram-101
ma2shita
29
9.5k
Amazon ECS & AWS Fargate 運用アーキテクチャ2025 / Amazon ECS and AWS Fargate Ops Architecture 2025
iselegant
15
4.5k
JSX - 歴史を振り返り、⾯⽩がって、エモくなろう
pal4de
3
1.1k
TechLION vol.41~MySQLユーザ会のほうから来ました / techlion41_mysql
sakaik
0
150
25分で解説する「最小権限の原則」を実現するための AWS「ポリシー」大全 / 20250625-aws-summit-aws-policy
opelab
6
710
Model Mondays S2E02: Model Context Protocol
nitya
0
190
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
53
32k
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
200
Featured
See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
228
22k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.8k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Building an army of robots
kneath
306
45k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
GitHub's CSS Performance
jonrohan
1031
460k
Speed Design
sergeychernyshev
31
1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
53k
Site-Speed That Sticks
csswizardry
10
650
Practical Orchestrator
shlominoach
188
11k
Transcript
1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
2 ࣗݾհ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩάੳɾݕࡧAPIɾΠϯϑϥཧ Python, Elasticsearch, Docker
3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀʹ͍ۙͷ
4 ηΩϡϦςΟڴҖ վ͟Μɾใྲྀग़ ϥϯαϜΣΞ etc… ɾ෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞΥʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)
੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ֎෦ͱ෦ ྆ํʹજΉ
ɾࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷྨ ɾ༧ɿΞΫηε੍ޚͳͲ ɾݕɿΛݕग़ɺ෮چͷख͕͔ΓΛه ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ͢ Ұൠʹ4ͭʹྨ ࢭɾ༧ͱ͍ͬͨޚͷରࡦ͕ଟ͍
6 ৵ೖͷؾ͖ͮํ ɾࣾͷਓ͕ෆ৹ͳʹؾ͘ ɾ֎෦ͷͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ͍߹ΘͤͰൃ֮ ɾ߈ܸऀ͕ࣗڭ͑ͯ͘ΕΔ ← ͕֎෦͔Βͷࢦఠ*ͱ͍͏ * FireEye
M-Trends 2017: ηΩϡϦςΟ৵͓ΑͼαΠόʔ߈ܸͷؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html
7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩάIDSͰෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟͰݕ ֎ͱαʔόͷதؒͰ͋ΔఔकΒΕ͍ͯΔ ࠷ޙϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ࠷ݶͷϩάऩू͓͖͍ͯͨ͠
8 ෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜཧऀͷೝূϩά͕ॏཁ ·ͣαʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠
9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹهఀࢭɾॻ͖͑Ͱ͖ͯ͠·͏ ҾͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ੍໊ݶ ࠪϩάͱͯ͠ྑͦ͞͏
10 audit log # systemctl start auditd # auditctl -a
always,exit -F arch=b64 -S execve ls ͚ͩͰෳߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log
11 audit logΛ׆༻͍ͨ͠ ɾgo-audit SlackͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔαՃ!
ɾosquery ↑ࠓճ͜Ε ࢲͷ͍ͬͯΔൣғͰҎԼͷύʔα͕ศརͦ͏
12 osquery FacebookͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺࢹʹར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰར༻Մೳ :
OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit eventsUbuntu,CentOSͷΈ
13 osquery 2017/8/3 ݱࡏ githubͷstar9501 Linux Security Tools (Top 100)
*ͷ10൪ʹհ * https://linuxsecurity.expert/security-tools/top-100/
14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/
15 ࿅श: macͰosquery $ brew install osquery
16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ͔Δ
17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart
18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ
19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events vim /etc/osquery/osquery.conf
20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ߹ ඞཁ ʢ:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU༻͕૿͑Δʣ
21 process_events ϩά lsͷ࣮ߦϩά
22 socket_events ϩά
23 ϑΝΠϧ߹ੑࢹ ࡞/มߋ/আΛϑΝΠϧύε୯ҐͰࢹ vim /etc/osquery/osquery.conf
24 ϑΝΠϧ߹ੑࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷସʹͳΔ͔ echo “message” >> /etc/test ޙͷϩά
25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔతͰܾΊ͚ͨͲ ϗετܕIDSͱͯ͠ेػೳͦ͠͏ υΩϡϝϯτॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ͍͍͢ʢ͔ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ
26 osquerydͷΈ(ͬ͘͟Γ) ෦ͰRocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osquerydఆظΫΤϦΛ࣮ߦ࣌ લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍߹ - ͯ͢ͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ߹
- 2ͭͷσʔληοτΛൺֱ͠ɺࠩΛग़ྗ
27 osquerydͷΈ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯͨ͠͠Β௨͞Εͳ͍ͷͰʁ ϑΝΠϧ߹ੑࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷใ͕อ࣋͞ΕΔ (fileͰinotify͓ΑͼFSEventsΛ༻)
28 ԿΛࢹରʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυΣΞଓϩά
29 ԿΛࢹରʹ͢Δ͔() ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧΣΞ͕ೖΔέʔε͕ۙʹ ɾhomebrewϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏
5ສਓ͕͍ͬͯΔ Chrome ֦ுͷϚϧΣΞٙ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτΣΞʹΑ͘ࣅ໊ͨલͷϚϧΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537
30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹΫΤϦύοΫ༻ҙ͞Ε͍ͯΔ hardware-monitoring
31 osquery.conf ઃఆྫ ·ͣPack + ͏ͱ͜Ζ͔Β
32 LogrotateΕͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotateඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ͋ΔͷͰhourly͕ྑ͍͔
33 ϩάΛूΊΔ S3
34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯
35 Elasticsearchϩάอଘ
36 ϢʔβͷίϚϯυཤྺ
37 sshdϩάΠϯࢼߦ
38 ϩάͷ͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯɺ ElastalertWatcherΛར༻ͯ͠ ҟৗͳૢ࡞ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨Մೳʹ
39 νϟοτπʔϧʹ௨ ϩάΠϯΠϕϯτΛSlackʹ௨͢Δ ௨͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏తͰαʔόૢ࡞͍ͯ͠Δ͔ ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ
40 ҙͳͲ ɾosqueryͷ։ൃ׆ൃ ɹɾҎલDisk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ100MB΄Ͳফඅ ɾsocketࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ?) ɾosquerydεέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱશੑগ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛΈ߹Θ͍ͤͯ·͠ΐ͏
41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟ΜϩετΛճආ͢Δػߏݕ౼͠Α͏ ɾ߈ܸͷ༧෮چͷखॱཱ֬େ
44 osqueryۜͷؙͰͳ͍ Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰͳ͘
45 osquery ຊͰ͍͖ͬͯ·͠ΐ͏