325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in...
Transcript of 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in...
![Page 2: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/2.jpg)
Building Useful Security Infrastructure for Free
Now with more Madness!!2
![Page 3: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/3.jpg)
Who am I?• Brad Lhotsky, Recovering Perl Programmer
• “Information Security Manager”
• System Administrator
• Database Administrator
• Keeper of the Codes
• Raptor Herder
3
![Page 4: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/4.jpg)
Who are YOU?
4
![Page 5: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/5.jpg)
Disclaimer: The views presented here are almost certainlydo not reflect the views of my Employer.
Where I work ..
5
![Page 6: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/6.jpg)
6
![Page 7: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/7.jpg)
“I don’t care about security and never will. So do whatever you want, but make sure I
know I’m better off with you employed”
7
![Page 8: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/8.jpg)
What is “Useful Security” ?• Not security for the sake of security
• Solves Operations problems
• Makes business more efficient
• Meets requirements for Compliance to legislation:
• PCI-DSS, SOX, HIPAA, FISMA
8
![Page 9: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/9.jpg)
Why “Build” It?
9
![Page 10: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/10.jpg)
Invest in Your Team• Open Source encourages you to get into
the nuts and bolts
• You learn more than just the software
• Networking
• Protocols
• Operating Systems
• Promotes Cross Training
10
![Page 11: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/11.jpg)
(Comic: Bill Hood)
CEO & CFO want ROI
11
![Page 12: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/12.jpg)
Part Duex; Duexing It!
12
![Page 13: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/13.jpg)
Complying, like a boss.
• Systems and Network Inventory
• Systems and Network Monitoring
• Accountability
• Who is where, when, why, and how?
13
![Page 14: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/14.jpg)
Paying Attention
• Already have a great deal of information
• Just need to get into one Place
• Central Logging
14
![Page 15: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/15.jpg)
syslog-ng• Program destination
• Started with syslog-ng daemon
• Messages passed in to that program’s STDIN
• Allows Dynamic Programming Languages with high startup costs to be really quick
• Configuration syntax makes sense
• Caveat: Some features are not free
15
![Page 16: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/16.jpg)
rsyslog
• All Open Source
• Supports Native Encryption via TLS
• Supports on-disk queueing for remote destinations
• Caveat: Configuration syntax is ugly
16
![Page 17: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/17.jpg)
Long Term Memory
• Store our relational data with PostgreSQL
• ACID Compliant for Standards Compliance
• Support for Stored Procedures, Triggers, and Views
• Extensible via pgFoundry and PGXN
• PL/R, PostGIS, ltree, etc ..
17
![Page 18: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/18.jpg)
PostgreSQL : inet
SELECT * FROM node_historyWHEREip_address << inet ‘192.168.1.0/24’
Allows us to ask if an IP address in a certain range
18
![Page 19: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/19.jpg)
Information FlowPerl Based
Web Front End
Servers Log Via Syslog
Central Syslog
Server
PostgreSQL
Central Data Store
Open Source
NMS Tools
Custom Data
Correlators
19
![Page 20: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/20.jpg)
Getting Useful Data
• DHCP logs to syslog
• MAC, IP, and Hostname
• Arpwatch logs to syslog
• MAC, IP, and Hostname
• Netdisco stores data in PgSQL
• MAC, Switch, and Port
20
![Page 21: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/21.jpg)
Getting Useful Data
• Samba logs via syslog
• IP and Username
• ActiveDirectory and LDAP for users
• Username, Email, Phone #
• Custom Built App track Employee Data
• Supervisor, Manager, Contractor POC
21
![Page 22: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/22.jpg)
Data Relationships
22
![Page 23: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/23.jpg)
Now it’s easy to solveOperations Problems
23
![Page 24: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/24.jpg)
Security Under the Veil of Utility
Identify and Locate Users
24
![Page 25: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/25.jpg)
Get useful information on our users
25
![Page 26: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/26.jpg)
26
![Page 27: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/27.jpg)
27
![Page 28: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/28.jpg)
a few other tricks ..
28
![Page 29: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/29.jpg)
do something cool w/metrics
29
![Page 30: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/30.jpg)
cool deploy macros via Puppetsubversion::deploy { ‘project’:
owner => apache, group => apache,svnurl => ‘svn+ssh://svn/repo/project’,target => ‘/var/www/project’,notify => Service[‘httpd’]
}
https://github.com/reyjrar/svnutils
This satisfies “Change Management” Requirements
30
![Page 31: 325 - USENIX · • Arpwatch logs to syslog • MAC, IP, and Hostname • Netdisco stores data in PgSQL • MAC, Switch, and Port 20. Getting Useful Data • Samba logs via syslog](https://reader033.fdocuments.net/reader033/viewer/2022053019/5f27a01e90cc5263a7289f8a/html5/thumbnails/31.jpg)
• Policy Compliance• Exceeds current logging recommendations•Open Source Software• #ossec on irc.freenode.net•Great functionality• Distributed Active Response•WebUI
“OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.”
http://ossec.net
31