Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BruCON 2015 Workshop: Intrusion detection on Li...

BruCON 2015 Workshop: Intrusion detection on Linux and OS X with osquery

osquery is an instrumentation framework for OS X and Linux. It exposes low-level operating system information as virtual SQL “tables” and queries can be grouped in “packs”. This is a multi-part workshop focusing on how Facebook uses osquery for incident response and intrusion detection, recommended deployment, and how attendees can build new features. Workshop attendees will use a compromised Linux server and example log aggregator to detect a rootkit and continuously monitor for similar attacks.

Javier Marcos

October 08, 2015
Tweet

More Decks by Javier Marcos

Other Decks in Technology

Transcript

  1. what is osquery? Explore your operating system using SQL Host

    visibility motivated by intrusion detection 100% OS API usage, no fork execve Facebook’s host intrusion detection agent •https://github.com/facebook/osquery •https://osquery.io •https://osquery.readthedocs.org
  2. why SQL? SELECT pid, name, uid FROM processes OS concepts

    are shared on Mac, Linux, and Windows the “concepts” have attributes: user ids, process ids, descriptors, ports, paths most developers and administrators know SQL
  3. why SQL? JOIN users ON processes.uid=users.uid SELECT pid, name, username

    FROM processes WHERE uid != 0 [join] [attribute]
  4. download and install osquery: https://osquery.io/downloads OS X 10.9, 10.10, 10.11

    CentOS 6.6 or 7.1 Ubuntu 12.04 or 14.04 if you do not have access to any locally, let us know Start a Vagrant (Ubuntu 14.04): https://goo.gl/D2Owus
  5. The most value comes from the osqueryd daemon This uses

    a JSON-config to set options and define a schedule { "options": { "host_identifier": "hostname", "logger_path": "/tmp" }, "schedule": { "usb_devices": { "query": "SELECT * FROM usb_devices", "interval": 10 } } } { "name": "usb_devices", "hostIdentifier": "reed-mbp.local", "unixTime": "1444120356", "columns": { "model": "USB Laser Mouse", "model_id": "c069", "vendor": "Logitech", "vendor_id": "046d" }, "action": "added" } Config: Log (single line):
  6. The most value comes from the osqueryd daemon This uses

    a JSON-config to set options and define a schedule The schedule is a set of QUERY and INTERVAL pairs The logs are changes in the output of the queries These queries can be organized into packs, and distributed alongside the osquery package or internally
  7. Now write a small config to /tmp/config.json When starting a

    “standalone” osqueryd we need 
 to change several options
  8. On OS X use /var/osquery/osquery.example.conf sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist sudo

    cp /var/osquery/com.facebook.osqueryd.plist /Library/LaunchDaemons /osquery.conf (errata)
  9. osquery + logstash forwarder + ELK what can you do

    with all the logs? ELK - Elastic Search - Logstash - Kibana logstash-forwarder logstash-forwarder logstash-forwarder
  10. logstash forwarder client configuration logstash-forwarder.conf { “network”: { “servers”: [

    “LOGSTASH_SERVER_IP:LOGSTASH_SERVER_PORT” ], "ssl ca": “/path/to/logstash-forwarder.crt”, "timeout": 15 }, "files": [ { "paths": [ “/var/log/osquery/osqueryd.results.log” ], "fields": { "type": "osquery_json" } } ] }
  11. logstash server configuration 01-lumberjack-input.conf: input { lumberjack { port =>

    5000 type => "logs" ssl_certificate => “/path/to/file.crt” ssl_key => “/path/tofile.key” codec => “json” } } 10-osquery.conf filter { if [type] == "osquery_json" { json { source => "message" } date { match => [ "unixTime", "UNIX" ] } } }
  12. configuration docs https://osquery.readthedocs.org/en/stable/deployment/configuration/ All osquery docs kept in the Github

    repo and hosted using RTD https://github.com/facebook/osquery/tree/master/docs/wiki
  13. AWS lab Log into an AWS node: Ubuntu14 machines username

    is ubuntu
 CentOS7 machines username is centos lab-centos7-1
 lab-centos7-2
 lab-centos7-3
 lab-centos7-4
 lab-centos7-5 lab-ubuntu14-1
 lab-ubuntu14-2
 lab-ubuntu14-3
 lab-ubuntu14-4
 lab-ubuntu14-5 .osquery.io User passwords are handed out in the workshop
  14. AWS lab Verify that osqueryd is running Inspect the config:

    /etc/osquery/osquery.conf Use Kibana to detect your actions and try to find the Azazel and a host with a simple rootkit https://lab.osquery.io only available during the workshop
  15. all development happens in the open, on GitHub work on

    osquery with us the problem that osquery solves isn't unique to Facebook •https://github.com/facebook/osquery •https://osquery.io •https://osquery.readthedocs.org ➡@osquery ➡@teddyreedv ➡@javutin