Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017
Search
bungoume
August 05, 2017
Technology
29
11k
OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017
osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5
bungoume
August 05, 2017
Tweet
Share
More Decks by bungoume
See All by bungoume
djangocongressjp2023_password_hash
bungoume
2
1.4k
日経電子版でのDjango活用事例紹介 / djangocongressjp2022-nikkei
bungoume
4
6.1k
CircleCIの活用事例とCI高速化/circleci-community-meetup3-speedup
bungoume
3
1.5k
Password Hashing djangocongress 20180519
bungoume
5
4.1k
日経電子版のアプリ開発を支えるログ活用術/nikkei-log-201609
bungoume
1
1.4k
Kibanaで秒間1万件のアクセスを可視化した話/nikkei-kibana-loganalyst2015
bungoume
20
17k
uwsgi-docker-pycon2015
bungoume
10
60k
Ansibleを結構使ってみた/ansible-nikkei-2015
bungoume
32
15k
Dynamic Inventoryと参照変数
bungoume
2
4.9k
Other Decks in Technology
See All in Technology
stupid jj tricks
indirect
0
7.9k
PLaMoの事後学習を支える技術 / PFN LLMセミナー
pfn
PRO
9
3.8k
Function calling機能をPLaMo2に実装するには / PFN LLMセミナー
pfn
PRO
0
920
英語は話せません!それでも海外チームと信頼関係を作るため、対話を重ねた2ヶ月間のまなび
niioka_97
0
110
生成AIを活用したZennの取り組み事例
ryosukeigarashi
0
200
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
you
PRO
0
210
生成AIで「お客様の声」を ストーリーに変える 新潮流「Generative ETL」
ishikawa_satoru
1
310
自動テストのコストと向き合ってみた
qa
0
110
多様な事業ドメインのクリエイターへ 価値を届けるための営みについて
massyuu
0
110
定期的な価値提供だけじゃない、スクラムが導くチームの共創化 / 20251004 Naoki Takahashi
shift_evolve
PRO
3
300
いま注目しているデータエンジニアリングの論点
ikkimiyazaki
0
590
組織観点からIAM Identity CenterとIAMの設計を考える
nrinetcom
PRO
1
170
Featured
See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Why Our Code Smells
bkeepers
PRO
339
57k
Git: the NoSQL Database
bkeepers
PRO
431
66k
How to train your dragon (web standard)
notwaldorf
96
6.3k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
850
Imperfection Machines: The Place of Print at Facebook
scottboms
269
13k
Building Applications with DynamoDB
mza
96
6.6k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
How STYLIGHT went responsive
nonsquared
100
5.8k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Transcript
1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
2 ࣗݾհ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩάੳɾݕࡧAPIɾΠϯϑϥཧ Python, Elasticsearch, Docker
3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀʹ͍ۙͷ
4 ηΩϡϦςΟڴҖ վ͟Μɾใྲྀग़ ϥϯαϜΣΞ etc… ɾ෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞΥʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)
੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ֎෦ͱ෦ ྆ํʹજΉ
ɾࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷྨ ɾ༧ɿΞΫηε੍ޚͳͲ ɾݕɿΛݕग़ɺ෮چͷख͕͔ΓΛه ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ͢ Ұൠʹ4ͭʹྨ ࢭɾ༧ͱ͍ͬͨޚͷରࡦ͕ଟ͍
6 ৵ೖͷؾ͖ͮํ ɾࣾͷਓ͕ෆ৹ͳʹؾ͘ ɾ֎෦ͷͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ͍߹ΘͤͰൃ֮ ɾ߈ܸऀ͕ࣗڭ͑ͯ͘ΕΔ ← ͕֎෦͔Βͷࢦఠ*ͱ͍͏ * FireEye
M-Trends 2017: ηΩϡϦςΟ৵͓ΑͼαΠόʔ߈ܸͷؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html
7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩάIDSͰෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟͰݕ ֎ͱαʔόͷதؒͰ͋ΔఔकΒΕ͍ͯΔ ࠷ޙϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ࠷ݶͷϩάऩू͓͖͍ͯͨ͠
8 ෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜཧऀͷೝূϩά͕ॏཁ ·ͣαʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠
9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹهఀࢭɾॻ͖͑Ͱ͖ͯ͠·͏ ҾͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ੍໊ݶ ࠪϩάͱͯ͠ྑͦ͞͏
10 audit log # systemctl start auditd # auditctl -a
always,exit -F arch=b64 -S execve ls ͚ͩͰෳߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log
11 audit logΛ׆༻͍ͨ͠ ɾgo-audit SlackͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔαՃ!
ɾosquery ↑ࠓճ͜Ε ࢲͷ͍ͬͯΔൣғͰҎԼͷύʔα͕ศརͦ͏
12 osquery FacebookͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺࢹʹར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰར༻Մೳ :
OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit eventsUbuntu,CentOSͷΈ
13 osquery 2017/8/3 ݱࡏ githubͷstar9501 Linux Security Tools (Top 100)
*ͷ10൪ʹհ * https://linuxsecurity.expert/security-tools/top-100/
14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/
15 ࿅श: macͰosquery $ brew install osquery
16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ͔Δ
17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart
18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ
19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events vim /etc/osquery/osquery.conf
20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ߹ ඞཁ ʢ:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU༻͕૿͑Δʣ
21 process_events ϩά lsͷ࣮ߦϩά
22 socket_events ϩά
23 ϑΝΠϧ߹ੑࢹ ࡞/มߋ/আΛϑΝΠϧύε୯ҐͰࢹ vim /etc/osquery/osquery.conf
24 ϑΝΠϧ߹ੑࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷସʹͳΔ͔ echo “message” >> /etc/test ޙͷϩά
25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔతͰܾΊ͚ͨͲ ϗετܕIDSͱͯ͠ेػೳͦ͠͏ υΩϡϝϯτॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ͍͍͢ʢ͔ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ
26 osquerydͷΈ(ͬ͘͟Γ) ෦ͰRocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osquerydఆظΫΤϦΛ࣮ߦ࣌ લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍߹ - ͯ͢ͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ߹
- 2ͭͷσʔληοτΛൺֱ͠ɺࠩΛग़ྗ
27 osquerydͷΈ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯͨ͠͠Β௨͞Εͳ͍ͷͰʁ ϑΝΠϧ߹ੑࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷใ͕อ࣋͞ΕΔ (fileͰinotify͓ΑͼFSEventsΛ༻)
28 ԿΛࢹରʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυΣΞଓϩά
29 ԿΛࢹରʹ͢Δ͔() ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧΣΞ͕ೖΔέʔε͕ۙʹ ɾhomebrewϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏
5ສਓ͕͍ͬͯΔ Chrome ֦ுͷϚϧΣΞٙ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτΣΞʹΑ͘ࣅ໊ͨલͷϚϧΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537
30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹΫΤϦύοΫ༻ҙ͞Ε͍ͯΔ hardware-monitoring
31 osquery.conf ઃఆྫ ·ͣPack + ͏ͱ͜Ζ͔Β
32 LogrotateΕͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotateඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ͋ΔͷͰhourly͕ྑ͍͔
33 ϩάΛूΊΔ S3
34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯
35 Elasticsearchϩάอଘ
36 ϢʔβͷίϚϯυཤྺ
37 sshdϩάΠϯࢼߦ
38 ϩάͷ͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯɺ ElastalertWatcherΛར༻ͯ͠ ҟৗͳૢ࡞ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨Մೳʹ
39 νϟοτπʔϧʹ௨ ϩάΠϯΠϕϯτΛSlackʹ௨͢Δ ௨͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏తͰαʔόૢ࡞͍ͯ͠Δ͔ ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ
40 ҙͳͲ ɾosqueryͷ։ൃ׆ൃ ɹɾҎલDisk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ100MB΄Ͳফඅ ɾsocketࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ?) ɾosquerydεέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱશੑগ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛΈ߹Θ͍ͤͯ·͠ΐ͏
41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017
43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟ΜϩετΛճආ͢Δػߏݕ౼͠Α͏ ɾ߈ܸͷ༧෮چͷखॱཱ֬େ
44 osqueryۜͷؙͰͳ͍ Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰͳ͘
45 osquery ຊͰ͍͖ͬͯ·͠ΐ͏