BruCON 2015 Workshop: Intrusion detection on Linux and OS X with osquery

Transcript

1. Javier Marcos / Facebook BruCON 2015 // osquery workshop Ted

   Reed / Facebook
2. None

3. what is osquery? Explore your operating system using SQL Host

   visibility motivated by intrusion detection 100% OS API usage, no fork execve Facebook’s host intrusion detection agent •https://github.com/facebook/osquery •https://osquery.io •https://osquery.readthedocs.org

4. why SQL? SELECT pid, name, uid FROM processes OS concepts

   are shared on Mac, Linux, and Windows the “concepts” have attributes: user ids, process ids, descriptors, ports, paths most developers and administrators know SQL

5. why SQL? SELECT pid, name, uid FROM processes [concept]

6. why SQL? SELECT pid, name, uid FROM processes [attributes] [concept]

7. why SQL? SELECT pid, name, uid FROM processes [constraints] WHERE

   uid != 0

8. why SQL? JOIN users ON processes.uid=users.uid SELECT pid, name, username

   FROM processes WHERE uid != 0 [join] [attribute]

9. download and install osquery: https://osquery.io/downloads OS X 10.9, 10.10, 10.11

   CentOS 6.6 or 7.1 Ubuntu 12.04 or 14.04 if you do not have access to any locally, let us know Start a Vagrant (Ubuntu 14.04): https://goo.gl/D2Owus
10. None
11. None
12. None

13. run osqueryi and inspect the basic shell help menu

14. also use .schema listening_ports see docs at https://osquery.io/docs/tables/

15. see docs at https://osquery.io/docs/tables/#file

16. None

17. see docs at https://osquery.io/docs/tables/#processes

18. The most value comes from the osqueryd daemon This uses

    a JSON-config to set options and define a schedule { "options": { "host_identifier": "hostname", "logger_path": "/tmp" }, "schedule": { "usb_devices": { "query": "SELECT * FROM usb_devices", "interval": 10 } } } { "name": "usb_devices", "hostIdentifier": "reed-mbp.local", "unixTime": "1444120356", "columns": { "model": "USB Laser Mouse", "model_id": "c069", "vendor": "Logitech", "vendor_id": "046d" }, "action": "added" } Config: Log (single line):

19. The most value comes from the osqueryd daemon This uses

    a JSON-config to set options and define a schedule The schedule is a set of QUERY and INTERVAL pairs The logs are changes in the output of the queries These queries can be organized into packs, and distributed alongside the osquery package or internally

20. Now write a small config to /tmp/config.json When starting a

    “standalone” osqueryd we need 
 to change several options
21. None
22. None

23. On OS X use /var/osquery/osquery.example.conf sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist sudo

    cp /var/osquery/com.facebook.osqueryd.plist /Library/LaunchDaemons /osquery.conf (errata)

24. osquery + logstash forwarder + ELK what can you do

    with all the logs? ELK - Elastic Search - Logstash - Kibana logstash-forwarder logstash-forwarder logstash-forwarder

25. logstash forwarder client configuration logstash-forwarder.conf { “network”: { “servers”: [

    “LOGSTASH_SERVER_IP:LOGSTASH_SERVER_PORT” ], "ssl ca": “/path/to/logstash-forwarder.crt”, "timeout": 15 }, "files": [ { "paths": [ “/var/log/osquery/osqueryd.results.log” ], "fields": { "type": "osquery_json" } } ] }

26. logstash server configuration 01-lumberjack-input.conf: input { lumberjack { port =>

    5000 type => "logs" ssl_certificate => “/path/to/file.crt” ssl_key => “/path/tofile.key” codec => “json” } } 10-osquery.conf filter { if [type] == "osquery_json" { json { source => "message" } date { match => [ "unixTime", "UNIX" ] } } }

27. installing ELK https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch- logstash-and-kibana-4-on-ubuntu-14-04 https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch- logstash-and-kibana-4-on-centos-7

28. configuration docs https://osquery.readthedocs.org/en/stable/deployment/configuration/ All osquery docs kept in the Github

    repo and hosted using RTD https://github.com/facebook/osquery/tree/master/docs/wiki

29. AWS lab Log into an AWS node: Ubuntu14 machines username

    is ubuntu
 CentOS7 machines username is centos lab-centos7-1
 lab-centos7-2
 lab-centos7-3
 lab-centos7-4
 lab-centos7-5 lab-ubuntu14-1
 lab-ubuntu14-2
 lab-ubuntu14-3
 lab-ubuntu14-4
 lab-ubuntu14-5 .osquery.io User passwords are handed out in the workshop

30. AWS lab Verify that osqueryd is running Inspect the config:

    /etc/osquery/osquery.conf Use Kibana to detect your actions and try to find the Azazel and a host with a simple rootkit https://lab.osquery.io only available during the workshop

31. all development happens in the open, on GitHub work on

    osquery with us the problem that osquery solves isn't unique to Facebook •https://github.com/facebook/osquery •https://osquery.io •https://osquery.readthedocs.org ➡@osquery ➡@teddyreedv ➡@javutin