Scale Your Auditing Events - TIB AV-Portal

Scale Your Auditing Events

00:00

12

Formale Metadaten

Titel

Scale Your Auditing Events

Serientitel

Anzahl der Teile

561

Autor

Lizenz

CC-Namensnennung 2.0 Belgien:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.

Identifikatoren

10.5446/44532 (DOI)

Herausgeber

Erscheinungsjahr

Sprache

Inhaltliche Metadaten

Fachgebiet

Genre

Abstract

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.

FOSDEM 2019346 / 561

1

24:45

How to write pylint plugins

2

25:20

How to build your own Ethereum client

3

27:01

How to build a FreeBSD CI/CD environment based on pot container

4

53:49

How should lawyers behave? Legal "Ethics" and Free Software

5

21:39

How Online Backup works in MyRocks and RocksDB

6

31:25

How Kubernetes used gRPC to encrypt secrets with an external Key Management Service and Go for Javascript developers

7

30:21

How and why (not) to use the 127.0.0.53 nameserver, systemd-resolved and resolvctl

8

15:27

How a Connect-X device driver works

9

24:36

horizon EDA - what's new

10

30:09

11

30:38

Hikar - Free and Open Source Android Augmented Reality for walkers - v0.2

12

24:10

High end augmented reality using Javascript

13

20:09

Hey, A Blockchain-Based Social Network

14

37:31

Hardware/Software Co-Design for Efficient Microkernel Execution

15

24:27

Hands on debugging with Delve

16

53:09

Handling Security Flaws in an Open Source Project

17

24:44

Hacking NodeJS applications for fun and profit

18

30:10

Hackers gotta eat

19

23:05

GWL: GNU Workflow Language

20

25:31

Guile 3: Faster programs via just-in-time compilation

21

25:10

gtk-rs: newest and future developments

22

24:52

GStreamer embedded state of the union 2019

23

21:04

GStreamer 1.16 and beyond

24

18:14

gRPC, Protobufs and Go... OH MY!

25

26:06

Greenfield: An in-browser Wayland compositor

26

29:24

GraphHopper Routing Engine - New Features

27

17:49

Graph usage in EFL

28

29:47

GraalVM: Polyglot Development Platform with Great Toolability

29

45:51

Hacking PostgreSQL

30

15:10

gr-soapy: A handy SDR hardware interface module for GNU Radio

31

15:40

Good Will Snapping

32

42:40

GObject subclassing in Rust for extending GTK+ & GStreamer

33

32:38

Go Lightning Talks - Come speak!

34

23:23

Go containers? Go serverless?

35

25:10

GNU Radio with a Rusty FPGA

36

43:23

GNU Radio in 2019: Facts and Plans

37

30:10

GNU Mes - Reduced Binary Seed bootstrap for GNU Guix

38

35:19

Gluster Container Storage

39

25:53

Global Consent Manager

40

30:10

Git database with bitmap index

41

21:34

Getting to Closer to a Software Help Language

42

39:57

Gephi JS: Exploring the dystopian future of a Javascript Gephi

43

26:57

GNU Radio meets Scapy

44

29:30

GBForth: Using Forth to understand the Game Boy

45

26:07

Futatabi: Multi-camera instant replay with slow motion

46

29:46

FST-01SZ (Flying Stone Tiny 01 revision ShenZhen)

47

25:10

From Zero to Portability

48

36:07

From Oracle to Apache - News from Apache NetBeans

49

25:10

From jQuery to React

50

22:51

Fritzing - the past, the present and the future

51

47:08

FreeIPA and cross-distribution packaging experience

52

38:22

FreeBSD in Audio Studio

53

35:10

FreeBSD Graphics

54

24:10

Fractalide and Cantor

55

16:02

FOSDEM infrastructure review

56

44:55

Forest: An Open Source Quantum Software Development Kit

57

44:54

FLOSS, the Internet and the Future

58

20:35

59

29:39

Flickerfree boot

60

22:28

Firefox is your Marionette

61

30:21

Firecracker, should it work only with a single runtime?

62

35:06

Fine-grained Distributed Application Monitoring Using LTTng

63

21:34

Fighting spam for fun and profit

64

09:30

Feature store: the missing data layer in ML pipelines?

65

26:53

Fearless Multimedia Programming

66

25:10

Extending syslog-ng in Python: Best of both worlds

67

25:34

Extending Numba

68

12:35

Exporting Ceph Object Storage data to the outside world

69

17:23

Exponential speedup in progress

70

22:00

Experience with wisp

71

21:38

Evolution of file system and disk management in HelenOS

72

21:37

Etherlime: open source blockchain development tool

73

15:24

Enrich your NIC's capabilities with DPDK Soft NIC

74

25:47

Enough: How journalism can benefit from free software

75

29:48

Extend Emacs in C or Other Languages

76

26:59

Embracing Language Servers for Blockchain Development

77

20:32

Embedded FreeBSD on a five-core RISC-V processor using LLVM How hard can it be?

78

49:21

ELI5: ZFS Caching

79

20:34

ElasticSearch Correctness and perfOrmance Validator

80

48:09

81

25:52

Dynamic answer generation with Lua

82

13:48

Drawing PCBs with Inkscape

83

20:10

Dotting the ethics i and crossing the t

84

11:58

Documenting Validator Requirements

85

13:59

Document Redaction with LibreOffice

86

48:21

Do Linux Distributions Still Matter With Containers?

87

30:09

DNS Privacy panel

88

28:34

DNS and the Internet's architecture: the DoH dilemma Impacts of DNS-over-HTTPS on how the Internet works

89

36:05

Distributed ledgers finally brought me a usable digital identity!

90

21:03

Distributed Computing with Ada and CORBA using PolyORB

91

20:33

Displaying other Application data into a Wiki

92

26:21

Discover GraphQL with Python, Graphene and Odoo

93

08:49

94

24:30

Developing data structures for JavaScript

95

22:11

Designing for Security

96

24:43

Designing Command-Line Tools People Love

97

25:39

Design Automation in Wonderland

98

22:40

Demystifying Coroutines and Asynchronous Programming in Python

99

24:22

Deep Dive: Kubernetes Metrics with Prometheus

100

29:24

Deduplication on large amounts of code

101

29:57

Decoding Meteor-M2: QPSK, Viterbi, Reed Solomon and JPEG

102

30:09

D-Wave's Software Development Kit

103

22:13

D-Wave Hybrid Framework

104

22:43

Declare your Linux Network state!

105

28:28

Decentralizing the Web Despite Itself

106

36:35

Debug info in optimized code - how far can we go?

107

15:22

Debian Java: Insights and challenges

108

50:10

Ceph Data Services in a Multi- and Hybrid Cloud World

109

50:10

Data Modeling, Normalization and Denormalization

110

30:09

D-Wave's Software Development Kit

111

22:13

112

19:24

CubicWeb: a browser for the web of data

113

40:13

Crostini: A Linux Desktop on ChromeOS

114

24:11

Cross browser extensions

115

15:37

Creating a Computing Revolution: from Personal Computers to Personal Servers

116

36:23

Critical Path Analysis

117

23:14

Couple scientific simulation codes with preCICE

118

24:07

Countless, Beautiful Contribution

119

20:10

Controlling the Execution of Parallel Algorithms in Ada

120

18:44

Continuous Localization

121

21:15

Continuous Integration to compile and test Navit

122

29:36

Containing the RDMA plasma

123

30:09

Consorting with Industry

124

15:10

Console oriented services: wttr.in, cheat.sh, rate.sx

125

25:10

Consistent PKCS#11 in Operating Systems

126

09:39

Connecting .NET Core to D-Bus

127

25:10

Configurations: Do you prove yours ?

128

26:17

Condition Monitoring & Transfer Learning

129

23:50

Compute the QOS of your infrastructure with DEPC

130

20:10

Component-based Design System and Development

131

24:34

Complex cameras are (were?) complex

132

40:40

Compiling the Linux kernel with LLVM tools

133

33:15

Companies and Communities

134

28:54

Community Data Are Not Community Metrics

135

27:02

Coming: a Tool for Mining Change Pattern Instances from Git Commits

136

23:49

Collabora Office as an app on iOS

137

15:21

138

50:10

Codifying infrastructure with Terraform for the future

139

25:06

Code anomalies in Kotlin programs

140

30:10

Coaching for Open Source Communities 2.0

141

13:46

Cloud Native Security 101

142

09:45

FOSDEM 2019 - Closing

143

18:12

Clang plugins in LibreOffice - global analyses across a large codebase

144

26:45

CK: an open-source framework to automate, reproduce, crowdsource and reuse experiments at HPC conferences

145

27:06

CI/CD for embedded development with an ESP8266, Arduino-cli, Gitlab-ci, Raspberry Pi, and Kubernetes

146

29:10

Challenges With Building End-to-End Encrypted Applications - Learnings From Etesync

147

24:59

Challenges in Monitoring Distributed Storage Environment and how Tendrl addresses them

148

39:28

Ceph storage with Rook

149

23:53

Cappulada: Smooth Ada Bindings for C++

150

46:58

Can Anyone Live in Full Software Freedom Today?

151

24:55

Call C++ from Rust with the cpp crate

152

29:45

Building production-grade networking software with FD.io CSIT

153

25:18

Pantheon Doc team expedition

154

27:50

Building open source scientific equipment

155

26:06

Building modern desktop apps in Go

156

20:10

Building Immersive Experiences with the Web

157

27:37

Building an LLVM-based tool

158

23:26

Building a Multi-Node SIP Platform Using OpenSIPS

159

18:51

160

27:53

Building a Community Metrics Strategy

161

23:27

Bring JavaScript to the Internet of Things - From Embedded Device to Smart Gateway

162

22:15

Breaking the 100 bits per second barrier with Matrix

163

52:39

Breaking PostgreSQL at Scale

164

22:59

Breaking Down Language Barriers

165

20:29

Breaking the Messaging Silos with COI: Chat Over IMAP

166

16:06

bmclib: A Baseboard Management Controller library

167

43:18

Blockchain: The Ethical Considerations

168

26:18

169

21:14

Beyond the webrtc.org monoculture

170

43:45

Beyond The First Steps

171

44:13

Better loop mounts with NBD

172

25:10

Base64 is not encryption

173

15:11

API Client Library Automation

174

39:47

Automated firewall testing

175

25:45

Automate Kubernetes Workloads with Ansible

176

15:41

Autocrypt - Automating E-Mail Encryption

177

32:01

Augmented Network Visibility with High-Resolution Metrics

178

30:10

Async PHP Requests & Reactive Responses with PHP-FPM

179

29:28

Astor: A Program Repair Library for Java

180

20:10

Asterisk WebRTC frontier: make client SIP Phone with sipML5 - Janus Gateway

181

20:38

The State of Asterisk

182

39:31

Around the world with Postgres extensions

183

24:58

Apache Lucene and Apache Solr 8

184

23:16

Analysis of the behavior of mobile applications and its consequences for our privacy

185

11:27

VIRTIO status update

186

20:40

An Update on NetBSD (no, not that kind of update)

187

23:47

Automated Analysis of TLS 1.3

188

25:13

Tezos Introduction

189

30:48

An operator centric way to update application containers with AtomFS

190

28:27

Introduction to Production Profiling and Diagnostics

191

1:40:16

An Introduction to Ada for Beginning and Experienced Programmers

192

25:03

An End-to-End LTE Testbed in Three Clicks

193

20:14

AI image search with Go & Tensorflow

194

50:01

Advocating For FOSS Inside Companies Redux

195

15:22

Add enterprise 2FA to your ownCloud in 15 minutes

196

57:16

ActivityPub panel

197

20:59

A year of LXD development

198

28:43

A year of Container Kernel Work

199

22:08

A roadmap for the Hurd?

200

20:10

A quick update on singularity 3.0

201

20:21

Get your data back under control

202

28:28

A new approach to container isolation with Nabla

203

46:06

A microkernel written in Rust: Porting the UNIX-like Redox OS to Armv8

204

26:41

A low latency GPU engine based reset mechanism for a more robust UI experience

205

26:55

A Guiler's Year of Racket

206

20:46

A follow-up on LTTng container awareness

207

42:18

A Deepdive into Tantivy

208

21:00

containerd update

209

14:36

A brief story about friendship

210

17:47

.NET on the Web with Mono WebAssembly

211

27:02

"Enlightening" KVM

212

28:38

"Collaboration in Open Source Is the Better Way"

213

30:09

214

24:16

25 Years of FreeBSD

215

54:20

2019: 50 Years of *x: A Computer Odyssey and Why it is important

216

14:13

10 years of open source test case management

217

15:59

0 A.D., a libre real-time strategy game

218

23:42

Multilingual Kubernetes

219

44:49

Multicloud CI/CD with OpenStack and Kubernetes

220

21:47

Monitoring Kubernetes and Virtualization

221

15:22

222

17:48

Mobile design with device-to-device networks

223

40:09

Mining Source Code^3

224

22:25

Minimalism versus Types

225

46:43

Migrating from Adobe Connect - the Victory of FOSS Over Proprietary Software

226

18:44

Minimalism matters

227

40:13

Migrating a Big Data Cluster from Linux to FreeBSD

228

15:09

MicroPython – Python for Microcontrollers

229

35:10

Microkernel virtualization under one roof

230

38:09

Microkernel lightning talks

231

26:28

Microcontroller Firmware from Scratch

232

22:39

Mgmt Config: The Road to 0.1

233

23:43

Merging System and Network Monitoring with BPF

234

49:51

235

14:47

Memory Management

236

21:20

Memex: Battling Information Overload

237

27:55

Medical image reconstruction using the .NET Framework

238

39:16

Mattermost’s Approach to Layered Extensibility in Open Source

239

52:34

Matrix in the French State and introducing...Matrix 1.0

240

26:39

Mastering Application/Service Configuration

241

22:08

MariaDB and MySQL — what statistics optimizer needs

242

21:26

Managing Virtual Machines and Containers in a Deeply Integrated UI

243

39:20

Managing and Monitoring Ceph with the Ceph Manager Dashboard

244

15:09

MALT: MALloc Tracker

245

10:09

MALT & NUMAPROF, Memory Profiling for HPC Applications

246

23:19

Making your Python code write your Python code

247

47:59

Creating the next hit game with FOSS tools

248

23:06

249

53:37

Making Sense of so many License Compliance Tools

250

50:51

Make your own language with Racket

251

16:07

Make XMPP Sprint Again

252

30:10

oVirt: Make Room! Make Room!

253

14:59

Maemo Leste: Mobile Hacker OS

254

25:10

M3 and a new age of metrics and monitoring in an increasingly complex world

255

25:07

Lucene Upgrade in Jira 8.0

256

44:06

257

25:09

Weaving Computation

258

30:21

Grafana Loki: Like Prometheus, but for logs

259

41:05

llvm.mix Multi-stage compiler-assisted specializer generator built on LLVM

260

20:00

LLVM for the Apollo Guidance Computer

261

40:57

Linux distributions, lifecycles, and containers

262

28:57

Linux and USB Audio Class 3

263

34:14

Linking OpenStreetMap and Wikidata

264

29:31

FOSDEM 2019 - Lightning Talks

265

34:37

libsigmf: Human Tools for Extra-Terrestrial and AI Radio

266

22:39

LibreOffice Online - hosting your documents

267

26:14

LibreOffice: the origins of a community fork

268

23:52

269

23:50

Leveraging ceph-mgr modules for fun

270

05:10

Let's use centralized log collection to make incident response teams happy

271

39:03

Lessons in TableGen

272

13:24

Lesson learned from Retro-uC and search for ideal HDL for open source silicon

273

25:10

Less painful E2E tests with Cypress.io

274

16:36

LemonLDAP::NG 2.0

275

15:10

Leela Chess Zero

276

50:10

Learning to Rank

277

26:21

Learning about Deep Learning: Applications for OpenJDK/Java Verification

278

13:20

LAVA federated testing

279

48:13

Latest evolution of Linux IO stack, explained for database people

280

18:43

LATERAL derived table in MySQL

281

32:05

Latency SLOs done right

282

30:30

Kubelet Istio: Kubernetes Network Security Demystified

283

28:38

284

29:03

KiCad Project Status 2019

285

43:25

Keeping Track of Stateful Infrastructure

286

25:10

JavaScript for open computing education

287

24:14

JavaScript: If you love it, set it free

288

26:23

Java and Containers

289

22:06

Checkpoint Restore

290

20:29

Introduction to reSIProcate

291

25:55

Introduction to OpenAPI Specification

292

10:41

Introduction to dpdk-burst-replay tool

293

28:24

CERN Open Hardware Licence 2.0

294

45:29

Introducing rust-prometheus

295

16:58

Machine Learning: From Lab to Production with Kubeflow

296

18:00

Introducing kubectl-trace

297

15:31

Introducing DBus-ASIO

298

23:42

Interactive Computing with F# Jupyter

299

27:59

Intel GFX CI: Validation done the Linux way

300

10:10

Gstreamer loves WPEWebKit

301

25:32

Inclusion Includes You

302

28:21

Improving SmartArt import in LibreOffice Impress

303

30:10

Improving LibreOffice quality together

304

20:55

Improve your SQL

305

30:10

Improve your On-Ramps for New Participants

306

15:10

IMAP, JMAP and the future of open email standards

307

25:10

IGT GPU Tools - the past, the present, the future

308

16:26

ID4me: using the DNS as a directory for identities

309

35:20

Hyperledger Fabric

310

30:10

HWallet: The simplest Bitcoin hardware wallet

311

27:44

Hundred* thousand rides a day

312

51:09

Huge pages and databases

313

1:00:10

314

21:06

WebXR - Beyond Games & 360 Videos

315

15:10

How we use Gluster

316

30:47

How We Modified an Agent-based Automation System to Become an Agentless One

317

09:20

NFS-Ganesha Weather Report

318

21:35

319

29:27

New interoperability, i18n and LibreLogo improvements of LibreOffice

320

07:55

Neuropil - Secure Interaction for Things

321

33:51

Neural commit message suggester

322

49:18

Netflix and FreeBSD

323

09:49

Nakadi: Streaming Events for 100s of Teams

324

24:33

MySQL Replication - Advanced Features

325

22:58

MySQL and the CAP theorem: relevance & misconceptions

326

20:10

MySQL 8.0 Document Store: How to Mix NoSQL & SQL in MySQL 8.0

327

20:10

MySQL 8.0 Component Infrastructure

328

10:42

My 10 year journey with FOSSASIA: A woman's pathway to open source

329

38:25

Multiplex graph analysis with GraphBLAS

330

13:47

Open source virtual prototyping for faster hardware and software co-design

331

16:44

Open source software security testing

332

25:00

Open Source Geolocation

333

25:03

Open Source Firmware at Facebook

334

22:23

An OSD Case Study

335

44:59

Microsoft's Open Source Journey

336

29:40

Open Source at DuckDuckGo

337

15:09

Open Software deserves Open Hardware

338

13:55

Open Food Network

339

27:01

One image to rule them all

340

30:40

On Observability

341

26:10

Now what? Following through on your community guidelines

342

27:33

No evidence of communication and implementing a protocol: Off-the-Record protocol version 4

343

14:32

344

26:55

openEMS - An Introduction and Overview

345

36:13

346

25:10

Scale Your Auditing Events

347

05:59

SAYMON - object-oriented monitoring and management for both ICT&IoT

348

42:37

Sans IO: safe and testable network protocols

349

26:52

Salut à Toi: A Python Based Social Network And More

350

26:44

RustPython: a Python implementation in Rust

351

22:55

RustPräzi: a tool to build an entire call graph of crates.io

352

24:45

353

18:44

354

25:31

Russian crypto algorithms in the OpenSource world

355

15:35

Running Android on the Raspberry Pi

356

29:02

Rspamd in FreeBSD Mail

357

39:32

Roll your own compiler with LLVM

358

27:18

Rewriting Pointer Dereferences in bcc with Clang

359

22:35

Root Zone KSK Rollover update

360

22:16

Retroshare JSON

361

22:03

Resurrecting Personas for LibreOffice

362

23:40

Singularity: Simple. Fast. Secure.

363

27:45

Reinventing MVC pattern for F# web programming

364

27:08

ReFrame: A Regression Testing and Continuous Integration Framework for HPC systems

365

24:29

Reducing Memory Usage of Mesa's Shader Compiler (Again)

366

21:13

Redis Labs & the tragedy of the Commons Clause

367

27:13

Redfish: the new standard for a Software Defined Infrastructure

368

23:37

RecordFlux: Facilitating the Verification of Communication Protocols

369

05:09

370

28:05

371

51:31

Rated Ranking Evaluator: an open-source approach for Search Quality Evaluation

372

26:53

Raspberry Pi history, tips and use case

373

44:37

374

41:17

375

24:15

Quo vadis, LibreOffice extensions?

376

20:40

PWA caching strategies

377

24:59

Protecting Secrets with Hardware

378

20:36

Pulp 3: Ready for a Test Drive

379

26:23

Protect your bits: Introduction to gr-fec

380

20:10

Proof of Pointer Programs with Ownership in SPARK

381

39:35

Promotion of open source and role of standardization in Quantum Computing

382

24:43

Project Trellis and nextpnr: FOSS Tools for ECP5 FPGAs

383

23:46

384

45:10

Profiling PHP applications

385

30:03

Profiling Low-End Platforms using HawkTracer Profiler

386

21:00

Privacy-preserving monitoring of an anonymity network

387

31:04

Preserving numerical algorithms

388

35:09

Predicting PR Comments

389

43:43

PostgreSQL vs. fsync

390

48:34

PostgreSQL Goes to Eleven!

391

22:22

Porting U-Boot to a Modular Device

392

55:29

Porting Debian to the RISC-V architecture

393

50:54

Portable Services are Ready to Use

394

24:51

Pocket Science Lab

395

25:23

Pocket Science Lab

396

28:21

397

20:10

Persistence with Ada Database Objects

398

21:14

Perl 6 as a new tool for language compilers

399

26:01

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

400

20:57

Performance tuning Twitter services with Graal and Machine Learning

401

44:26

PennyLane - Automatic differentiation and machine learning of quantum computations

402

19:57

Patterns and anti-patterns in Open Source participation

403

55:17

Difficulties in having more designers involved in Open Source

404

48:35

Packaging for Mageia Linux with Docker containers

405

21:31

Package software for any distribution with upt

406

48:21

Panel: Open Source .NET

407

17:16

P4: Private Periodic Payments Protocol

408

54:28

Deep dive in the ossia ecosystem

409

42:53

Organizer's Panel -- Now and Forever

410

23:00

Organisational Processes in Decentralized Software

411

14:41

Hardening the Operating Systems against transient faults

412

50:10

Kubic for Container People

413

16:24

414

43:08

OpenJDK Governing Board Q&A

415

23:28

416

42:57

Quantum Computing at Google and in the Cloud

417

21:29

OpenStreetMaps for emergency prep: The view from San Francisco

418

32:13

XWiki: a collaborative apps development platform

419

38:44

ZFS Powered Magic Upgrades

420

25:14

Zink: OpenGL on Vulkan

421

13:40

Will you boot Haiku, on a non intel platform, no BIOS winter?

422

17:29

Writing Network Drivers in High-Level Languages

423

14:30

XR: The present, the future and how to get there.

424

50:27

XDP (eXpress Data Path) as a building block for other FOSS projects

425

26:26

Working with Webhooks

426

17:52

Why JSON when you can DSL?

427

30:10

Why, and How, we compiled Xaml into IL

428

30:39

Who wants you to think nobody uses the AGPL and why

429

20:42

Who needs to know? Private-by-design collaboration

430

25:22

Who needs pandoc when you have Sphinx?

431

25:48

Where is my error gone?

432

30:10

When perf-html Met A11y

433

25:52

Exponential speedup in progress

434

25:47

When and How to use CGo

435

41:27

What's new in the world of seL4

436

50:48

What's new in PostgreSQL 11

437

23:46

What's new in DeepSea An overview of new features

438

38:58

What makes LLD so fast?

439

45:25

440

11:45

Setting up an HPC lab from scratch

441

04:51

Writing Asynchronous SNMP Agents

442

19:17

What are your users kubectl-ing into your Kubernetes cluster?

443

04:17

Welcome to the Legal and Policy Issues devroom

444

25:10

Web Components are the future. And the future is now!

445

22:47

Write Drunk - Test Automated

446

22:46

What did I just agree to?

447

41:23

Walking through walls

448

25:45

Wayland in IVI systems

449

28:57

VR Map: Putting OpenStreetMap Data Into a WebVR World

450

24:17

VoIP Troubleshooting and Monitoring with SIP3

451

10:30

Voice Controlled Radio Enabling broadcast reception for Smart Speakers

452

23:08

VNF development made easy with netmap

453

40:09

What's new in Ceph Nautilus

454

30:10

Virtual IOMMU Implementation using HW Nested Paging

455

25:10

456

14:21

VBoard, making web dashboards in 3D and VR

457

23:32

Validating Big Data Jobs

458

23:06

Uyuni: A world-class open source frontend solution for managing your software-defined infrastructure with Salt

459

21:11

UX at Tor: an Open Approach

460

24:33

Using Progressive Web Apps to control IoT

461

40:10

Using networks to study 18th century French trade

462

29:05

Using eBPF for Linux Performance Analyses

463

30:10

Use kcli with all your virtualization solutions!

464

27:48

Use configmanagement for your ... configmanagement.

465

25:10

USB borne attacks and usable defense mechanisms

466

19:42

Video Analysis using CUDA and OpenCV

467

35:42

Unikraft: Unikernels Made Easy

468

22:50

VR Map: WebXR with Real-World OSM Data

469

20:24

Unifying network filtering rules for the Linux kernel with eBPF

470

37:47

Understanding Source Code with Deep Learning

471

25:16

V4L2: A Status Update

472

23:28

Un-split brain (aka Move Back in Time) MySQL

473

28:32

UEFI Boot for Mere Mortals

474

16:30

TypeScript-It's time to migrate!

475

26:01

Tuning Go GC Parameters

476

25:59

Tree matchings with Behavior Trees

477

22:29

Tracking users with core Internet protocols

478

33:36

Towards a sustainable solution to open source sustainability

479

22:05

Tools for Shrinking Your Containers

480

24:15

To the future with Grav CMS

481

25:55

Time is Important - Developer Centric IoT Platforms

482

19:28

Tiki: Easy setup of wiki-based knowledge management system

483

21:56

TiDB: Distributed, horizontally scalable, MySQL compatible

484

15:35

Theo: The Authorized Keys Manager

485

28:56

What's going on with Storage?

486

20:10

Unified Communications with Pàdé

487

29:11

Tooling for IntelliJ Platform Plugins

488

32:56

The surprising interaction of open source and patent exhaustion

489

17:36

The State of Webassembly in 2019

490

07:47

The state of machine learning operations in 2019: reproducibility, explainability, bias evaluation and beyond

491

25:03

The State of Go

492

19:43

The SReview review system

493

26:43

The Software Developer’s Guide to Open Source Hardware

494

16:32

Skulls - coreboot your X230 the easy way

495

24:33

The right to data portability (and why it's a very bad idea)

496

48:18

The TPM2 software community

497

26:28

The Yoast Design Meeting and how it started us on the path to open source design

498

30:10

The Open Source Community: its past and future

499

30:09

The New Internet

500

25:10

The new EU CyberSecurity Act

501

25:59

The Missing Benchmark Metric: Memory Consumption

502

11:25

The Kitspace BOM Builder

503

28:49

The impact of Meltre and Specdown on microkernel systems (*)

504

45:17

The future of Supervisor Binary Interface(SBI)

505

27:39

The final release of Kodi v18

506

26:29

The Dwingeloo radio telescope goes SDR

507

40:09

The DAO of Bisq

508

48:31

The Current and Future Tor Project

509

22:30

the current and future state of Ethereum

510

34:26

The Container Storage Interface, Explained

511

20:47

Making your MySQL Replication Setup run faster!

512

42:58

The Cloud is Just Another Sun

513

16:48

The brief case for User-space Network Stacks (DPDK and friends)

514

21:24

The art of multiplexing MySQL connections with ProxySQL

515

25:12

Text Markup to PDF with Python

516

19:12

The real cost of not doing user research

517

21:16

The convergence of HPC and BigData

518

29:13

Testing Over 1000 gTLDs for EDNS0

519

22:13

Testing GraphQL in your JavaScript application

520

29:51

Tested for Business: An Open and Transparent Quality Kit

521

24:51

Test complex database systems in a laptop with dbdeployer

522

24:15

Testing your infrastructure and services with the help of OPNFV testperf team

523

22:20

Ten years of Puppet installations: what now?

524

25:10

Templating Languages for Interactive Fiction

525

22:28

Tcl - An Embeddable Long-lever with a Comfortable Grip, that fits in your Pocket.

526

25:50

Tapping Into the Binary Log Change Stream

527

15:42

Sysadmins, too, deserve interface stability

528

30:09

Sustaining FOSS Projects By Democratizing The Sponsorship Process

529

15:36

530

30:51

Taming The Dinosaur: How Eclipse was Performance Tuned

531

19:26

Sustain in Open Source with Gitcoin

532

49:12

SUSI.AI: An Open Source Platform for Conversational Web

533

30:14

Countering Impostor Syndrome Culture

534

26:11

Super-speedy scoring in Lucene 8

535

28:04

536

15:23

Structured Concurrency

537

25:10

Streaming Pipelines for Neural Machine Translation

538

40:24

Storing "Lots Of Small Files" in a Swift cluster

539

21:26

Stories from BIND9 refactoring

540

37:13

Square Kilometre Array

541

27:55

Spoofing GPS is it really the time we think it is, and are we really where we think we are?

542

17:51

Speeding up the Booting Time of a Toro Appliance

543

23:23

Speeding up Programs with OpenACC in GCC

544

30:05

Spatial Reference Systems Transformations with Boost.Geometry

545

28:51

Watching Them Watching Us WebExtensions Exposing Privacy Leaks

546

52:25

Tesla Hacking to FreedomEV!

547

49:01

Solo5: A sandboxed, re-targetable execution environment for unikernels

548

42:55

Solid: taking back the Web through decentralization

549

24:51

SMT-Based Refutation of Spurious Bug Reports in the Clang Static Analyzer

550

36:15

Smelling Source Code Using

551

40:09

SMB3 UNIX Extensions

552

04:00

553

25:10

Solving Polynomial Systems in Python

554

29:42

Set-versioned package dependencies

555

24:41

Securing the JVM

556

26:54

Server side solution for generating ODF reports

557

25:01

Securing Secure Boot on Xen

558

43:24

Secure Web Applications with AWA

559

27:10

SDR Makerspace sdrmaker.space

560

25:19

Making furniture with JavaScript

561

24:41

Onion adventures

Automatisches Abspielen

Sprache

Text

Bild

00:00

MaßstabEreignishorizontZentrische StreckungRechenschieberEreignishorizontComputeranimation

00:38

KonfigurationsraumZahlenbereichGruppenoperationAuthentifikationEreignishorizontProzess <Informatik>EindringerkennungElektronische PublikationExogene VariableKonsistenz <Informatik>SchlüsselverwaltungWurzel <Mathematik>ComputerspielRechenschieberMultiplikationsoperatorEreignishorizontPhysikalisches SystemEindringerkennungIdentifizierbarkeitComputersicherheitTypentheoriePoisson-KlammerGeradeDifferenteCloud ComputingMotion CapturingPunktMetadatenAggregatzustandSchlussregelVerkehrsinformationRaum-ZeitKonfigurationsraumBitRohdatenZeitstempelElektronische PublikationProzess <Informatik>Elastische DeformationGruppenoperationLoginZweiKernel <Informatik>SchwebungAuthentifikationProgramm/QuellcodeComputeranimation

03:24

GruppenoperationZählenKonvexe HülleEreignishorizontSchwebungKonfigurationsraumComputersicherheitElektronische PublikationMusterspracheMultiplikationsoperatorNetzadresseBimodulGruppenoperationNichtlinearer Operatorsinc-FunktionSchreib-Lese-KopfSyntaktische AnalyseBitDefaultNetzbetriebssystemUmwandlungsenthalpieFortsetzung <Mathematik>Computeranimation

05:15

Inverser LimesMessage-PassingEreignishorizontElektronische PublikationKonfigurationsraumDateiformatATMParametersystemSchlussregelInverser LimesBimodulGruppenoperationAttributierte GrammatikMini-DiscBitrateSoftwareentwicklerSchreib-Lese-KopfSchwebungHecke-OperatorSystem FComputeranimation

06:55

MultiplikationsoperatorEinfach zusammenhängender RaumPunktwolkeSchreib-Lese-KopfSoftwareschwachstelleComputersicherheitBitEreignishorizontUmwandlungsenthalpieInformationInstantiierungMetadatenPhysikalisches SystemFigurierte ZahlVersionsverwaltungProzess <Informatik>Elektronische PublikationOffene MengeBildgebendes VerfahrenFokalpunktNamensraumCloud ComputingMereologieComputeranimation

08:23

LoginWurzel <Mathematik>MenütechnikElastische DeformationPasswortDämon <Informatik>QuaderMomentenproblemComputersicherheitPasswortWeg <Topologie>Computeranimation

08:54

ZählenPhysikalisches SystemRahmenproblemPasswortMultiplikationsoperatorElementargeometrieNetzadresseLoginBestimmtheitsmaßForcingInstantiierungSystemverwaltungAutorisierungComputeranimation

10:45

PasswortElastische DeformationComputersicherheitPhysikalisches SystemLoginPatch <Software>Gibbs-VerteilungKernel <Informatik>OrdnungsreduktionComputerunterstützte ÜbersetzungEreignishorizontElektronische PublikationSchlussregelComputeranimation

11:12

QuellcodeBitEreignishorizontSchlussregelEinsHilfesystemComputeranimation

12:01

LoginElastische DeformationElektronische PublikationDateiformatBimodulFahne <Mathematik>VerzeichnisdienstDigitalfilterBitNichtlinearer OperatorLesen <Datenverarbeitung>SoftwareentwicklerProzess <Informatik>SchlussregelElektronische PublikationPhysikalisches SystemWeg <Topologie>SensitivitätsanalyseInformationBitrateEindringerkennungComputeranimation

13:00

Elektronische PublikationDateiformatBimodulFahne <Mathematik>VerzeichnisdienstAuthentifikationIdentitätsverwaltungPasswortZählenPasswortDienst <Informatik>SystemverwaltungElastische DeformationGruppenoperationMailing-ListePhysikalisches SystemProzess <Informatik>SchwebungComputeranimation

13:58

AuthentifikationIdentitätsverwaltungPasswortLoginPatch <Software>Gibbs-VerteilungComputersicherheitPhysikalisches SystemKernel <Informatik>OrdnungsreduktionElastische DeformationKonvexe HülleEreignishorizontSystemverwaltungElastische DeformationElektronische PublikationSchlussregelTypentheorieWurzel <Mathematik>VerzeichnisdienstComputeranimation

15:18

DigitalfilterQuellcodeMenütechnikSystemaufrufSchlussregelLeistung <Physik>EreignishorizontBeweistheorie

16:25

PasswortElastische DeformationTelnetMaskierung <Informatik>ComputervirusPhysikalisches SystemProzess <Informatik>SocketPlasmabildschirmModul <Datentyp>BimodulSocket-SchnittstelleKonfigurationsraumPhysikalisches SystemDateiformatBrennen <Datenverarbeitung>TelnetInstantiierungProzess <Informatik>BitBildschirmmaskeInzidenzalgebraComputeranimation

17:47

QuellcodePunktwolkeDreizehnQuellcodeProzess <Informatik>EreignishorizontMinimumSocketInstantiierungKontrollstrukturElektronische Publikation

18:57

ComputervirusElastische DeformationPasswortMenütechnikDateiverwaltungAutomatische IndexierungElektronische PublikationInhalt <Mathematik>MultiplikationsoperatorWeb SiteBenutzerbeteiligungIntegralHash-AlgorithmusGruppenoperationGeradeWeb-SeiteMathematikVerzeichnisdienstComputeranimation

20:02

Web-SeiteVererbungshierarchieComputeranimation

20:24

Explosion <Stochastik>Total <Mathematik>EreignishorizontFormation <Mathematik>IntegralElektronische PublikationEreignishorizontMathematikRechenschieberMusterspracheBimodulDateiverwaltungWurzel <Mathematik>Computeranimation

21:35

GruppenoperationEreignishorizontLoginSchlussregelMultiplikationsoperatorPhysikalisches SystemPasswortWurzel <Mathematik>InformationsüberlastungKonfigurationsraumVererbungshierarchieProzess <Informatik>Virtuelle MaschineProzessautomationOrdinalzahlZeitreihenanalyseCoxeter-GruppeAlgorithmische LerntheorieMusterspracheRechenschieberCloud ComputingSchwebungTermInstantiierungAusreißer <Statistik>Inklusion <Mathematik>Keller <Informatik>Maßerweiterung

25:02

Physikalisches SystemComputeranimation

Transkript: Englisch(automatisch erzeugt)

00:14

OK, I think. Hello, everyone. Let's welcome our next speaker, Philip Grant, with the talk,

00:24

Scale Your Auditing Events. Thank you. Hi, everyone. I do have a couple of slides. But since we only have 25 minutes, these are the slides. You've seen them, they're online.

00:42

We'll forget the slides, we'll do stuff live. Otherwise, we're just wasting too much time. So who is using auditd? OK, that's very few. So just to give you a quick idea of what auditd is, it's something that lives in the user space, can capture kernel events. Basically, you can have configuration rules

01:01

of things that come from user space and that you want to capture. It could be like system processes, it can be user actions, it can be file events. Those you can capture and then work with auditd. And you have something that looks like this. You have our report. It just gives you an overview of what has been happening

01:22

or what is the state of your system. So you can see this has been running just very shortly on my system, just a few seconds, basically. But you can still see logins, failed logins, authentications, users. So this just gives you an overview of what is happening in your system. But obviously, this has raw events in the background as well.

01:42

So that would be all search. And then if you add dash raw, it would just give you a lot of raw events. And these are basically the raw events that are happening in your system. Every line starts with a type. You have lots of different types. So for example, a user started something,

02:00

then you have in a bracket that is a Unix timestamp, and after the colon, there is a unique identifier. If one event is causing multiple things that you want to capture, you can have duplicate timestamps and IDs. And then you have a lot of meta information depending on what is happening in your system. So for example here,

02:21

you can see something was ended in success, and I opened a session with a specific user and a process ID, and we can capture all of these. And that is audit D, basically. The one thing that you can already see here a bit is that this line looks very different than this. And while this is nice to capture a lot of events,

02:42

it is a pain in the ass to capture that in a central fashion. You can try to parse it, but it's kind of semi-nice. So just to give you a quick idea, also, why am I talking about that? I work for Elastic, the company behind Elasticsearch, Logstash, Kibana, Beats,

03:01

and we have a cloud service as well. And we kind of had this need at some point that we wanted to audit security events for our own cloud service. And then we looked at, how can we capture security events in general? And the first thing we did is we wanted to capture this file and then basically parse it. So that's something, no, not slack.

03:24

If you've never seen Kibana, this is Kibana. We'll head over to a pre-built dashboard. We have so-called Filebeat modules. They're basically configured, and they know, I want to, let's head over to the Filebeat modules. You can see here that we have various Filebeat modules

03:42

that can collect specific log files. The one I'm interested in here is we have one for auditing events. And basically, we know on my operating system, Ubuntu 18.04, that log file is under that specific path. And by default, the pattern of that file has a specific layout.

04:01

And then we can just parse that and collect all the data. We can do that for NGINX, Apache, MySQL, Postgres, Kafka, lots of others. And we can do that for auditing events. So what we get out of these auditing events, and since I've only been running that yesterday for a short while, you can see here which users were doing which kinds of actions.

04:20

We could filter down on those. You can see we don't have any top-executed commands, but you can see here we were running this and we had a lot of events in a short amount of time. You can also see, this was probably me doing something yesterday. And I had a Belgian IP address probably. We could zoom into that to see where I was actually coming from.

04:40

And then you can see the actual commands and what we have captured on those. However, parsing all of this was still a pain and we didn't really want to do that. So we were thinking like, how can we make this easier? And basically, what we then did is we took what Auditee is doing and we packaged that in another beat. And we called that the Auditee beat.

05:01

So it's just a beat to collect security events. And this is using the same configuration like maybe you could say arcane configuration for Auditee. Just to give you a quick idea of what we have here. So like every other beat, it's living in ECT, whatever beat name you have.

05:21

So we have Auditee beat here. We have Auditee beat YAML. So we have the YAML file here. You see we have the Auditee module that we are running here. These are some configuration parameters that you might know that how failure modes should be handled, how many backlog items do you want to capture, if you want to rate limit this,

05:42

if this is capturing or generating too many events. And then here, I've written myself some notes because I always forget how these filter rules actually work. They define like how this is working. And for example here, I'm saying like watch, we're watching a file, ETC pass WD

06:02

with the actions read, write, execute or change any attribute. And we tag this event with pass WD access. This is one rule for example. Or here, we have a slightly more complicated definition where I say always on exit, follow the file etcpen.conf when somebody reads the file

06:24

but only this uses in the group 1001 and tag that, K is always tagged that with developers PAM read that specific file. So these are just some configuration files. And basically what we've done is we've kept the same configuration format. We've just wrapped it into audit bead

06:41

and audit bead rather than writing it out to disk and then you try to parse it back, sends it as a structured format directly into Elasticsearch. And then you can just visualize that and see what is going on. So to show you, let's head over to this one here. We have some pre-built dashboards for those as well.

07:01

Let's head to the audit D overview. Maybe the last 24 hours are a bit too much. Let's say we just figure on the last or focus on the last 15 minutes. You can see we had for example, 22 open file events or connections to or that somebody executed the process and you can see over time how they developed,

07:20

where those were coming from. For example, that somebody tried to log in and further down you can see the actual events. And we capture a lot of metadata. Something that might be nice for you to see is for example, you can see we have a host information. So we know on what kind of host this is running and what operating system. If you're running in a cloud provider on some cloud,

07:43

you can see this is running on AWS and we enriched that with all the information so you know it's just one specific instance that has a problem for example, security wise. Or you could filter down to say like, oh I know only Ubuntu has a specific vulnerability in one specific version and then I'm only interested in those hosts. So you could filter down to those.

08:00

If you're running in Docker or Kubernetes, you could enrich that with the same metadata here so then you could filter down to a specific part or name space or a specific base image if you know that there is a security issue to look into that. So this is what we have running here. So let's see if we can actually find something.

08:22

So I will quickly head out here, leave this user, let's say we want to log in with an elastic user. Well, what happens if we forget the password? That would not be good.

08:41

But that would be kind of a nice opportunity to actually figure out if anybody is trying to SSH into my box. Since this is a security track, did anybody try to SSH into my box? Otherwise we'll see in a moment. So let's see, I always try to throw that in. So let's see what has been happening in SSH. Well, maybe not just the last 15 minutes

09:01

but let's say the last 24 hours. And then we can see how many people tried to log in. This time we were lucky. It's not even that many login attempts. And you could see like public key password. You can see where they're coming from, which users. So these are me probably, admin is not me. We could filter down to the last 15 minutes, for example,

09:22

just to see, okay, something didn't work here. You can see, okay, this is too small. This time the IP is coming from somewhere else. Anybody has any idea where this might be coming from and why? Okay, somebody, that's surprising,

09:42

somebody from Norway or so is trying to log in. The other one is from Vienna. That's where I'm from. I'm using my phone because people are doing funny stuff with the wifi. And if you're roaming with your phone, you will always get an IP address from home. And then it looks as if with a geo IP lookup, as if that was coming from home. But this is just a coincidence.

10:01

This was me trying to log in. Then down here you could see the actual failed login attempts. And if you zoom out and make the timeframe large enough, you would normally have either Russia or China trying to brute force into your instances or probably you now. Ruth me, yeah?

10:22

So let's see, where are you coming from? You can see five from here, 10 from here. And we seem to be doing better than China and Russia today. Or India is also trying to catch up. But you just get the idea of where stuff is coming from. But this is just the auth log and it's still educational to see what people are trying to accomplish here. So let's actually log in with our user

10:44

and do something useful. So for example, I've shown you the rule when somebody's trying to access ETC-passwd. So let's say my user, bless you, bless you again.

11:02

We're just running a cat on ETC-passwd. We're showing the file because this is something we're trying to capture. So let's see if we actually found that. So I'm heading over to the raw events. These are not the ones I want. And you see in the last 24 hours,

11:21

we didn't have just 31 events, but this will be, yeah, we had 600,000 events. But we set this nice little tag. And with this tag, we can filter down and say like, I think it's called ETC-passwd-access. You could filter down on that one and instead of 600,000 events, you just have 131

11:41

because this is run very frequently. So this is still not helping you too much. You can still see which user is calling it and what command and was it successful or not successful. But this is still a bit wide. So the first rule that we set was maybe not super helpful. The other one that we set for the pem conf

12:04

was a bit more limited because it was just bound to that specific user and just a read operation. So let's see if we switch down that filter to that one if we find something more meaningful. And we have developers pem read. So only the developer user is trying to read that file.

12:22

If you drill into that, you can see, this was just me now. If we open that one, you can actually see we were running bincat on that file. You can see which users, which operating system. You can see the exact process information, user IDs, et cetera.

12:40

Obviously, this makes sense if you have some sensitive files or something that you want to keep track of very well that you configure your rules accordingly for that. Like, you can see pem conf is not making much sense here, but it's just to show you the general approach of what you could do. Something else you could do, for example, is if I run to restart nginx,

13:00

so we have nginx running here. So I say service nginx restart. I pick my Elastic Admin user because I know the password for that one. We would be capturing those as well. So for example, you would have multiple places where you could find those. But for example, we have a dashboard

13:21

for process executions in audit beat. We have the process executions. Here you can see, for example, this is the stuff that is being run. Let's just filter down on the Elastic user, whatever that user is up to. Then down here in that list you can see here, this was actually restarting nginx.

13:41

This was one of the actions that the user has been up to. And that way you could just fit, like if somebody broke into your system with a specific user, you could just see what have they been running and what have they been up to to follow along, whatever stuff they tried out. You could also do some other fun stuff. So let's log out from that user and let's say we're an admin user.

14:04

And the admin user is kind of curious. And the admin user tries to look in what do we have in our home directory. And then he sees like, oh, we have an Elastic user. Well, let's see what the Elastic user is up to.

14:24

And the Elastic user has a file secret txt. And obviously our admin cannot resist looking at the file. So let's take a look. Oops, there's not where we want to go. Elastic user, secret, will this work?

14:44

Yes, no, maybe? No, we need sudo. We can run this with sudo, if I type correctly, to secure. And you can see my secret.

15:02

So this was collected. You can, by the way, we have set up a rule to collect those events. So we said like, if somebody who has root permissions looks into the home directory of a non-root user, we want to log that event. And that is something we have in the raw events as well. So if I add my filter rule here,

15:23

I think I called it privilege or elevated, oh no, sorry, not elevated briefs. It is called elevated briefs. Oh yeah, sorry, power abuse, yes. This is the one I'm looking for. But elevated briefs will capture this as well since we ran it with sudo.

15:41

Elevated briefs is just, in my example, anything that you run with sudo, we are capturing here as well. So we might probably find the elevated briefs here if we open that one. So you can see we have a syscall and you can still see this, but this was only found now because it was run with sudo,

16:00

but we're still capturing any sudo event. But yes, power abuse is the proper one if I remembered my own tags. And with power abuse, if we scroll down to those, you see, okay, this was tagged with power abuse, and you can see this was as well the command that we have been running.

16:21

So you find out what somebody is up to. Something else that you might be doing is that, let's say, anybody wants to talk to me, but I think the Wi-Fi here is filtering that out. But generally, if I connect by telnet

16:41

to my instance on that port and I write hello, it will arrive here. And anybody who wants to can just chat, but I think the Wi-Fi might be filtering this out, so you might need to reuse your phone. How would we find out that somebody has opened a port and is doing stuff now? For that, we have slightly extended

17:01

our configuration format, because I said initially the ODD format is a bit crude. And in the very latest release of the stack that came out this week, we added another way to configure things like that, which might be slightly nicer to look at. So here, if I scroll down a bit,

17:22

no, not so far. This is the one I want. Here, for example, we have a so-called system module that is looking for processes and sockets every second and is capturing those. And then you could just say which processes have been run by a user or which sockets have been opened, which also might be interesting

17:41

if somebody opens weird sockets on your system. And to show you what that might look like is, let's throw all of this away, and let's assume somebody opened something on port 1025. I'm just randomly searching for that. You can see we found a bunch of events,

18:01

and you can see, okay, somebody opened an outbound socket. You could just open that event and then see, okay, this is the destination IP. The process has now exited. But this was the specific thing that happened on your instance. You could also see which source port was hit. You could see we would also have a process.

18:22

So somewhere you would find the netcat command that we have been running, depending on which event we're looking at right now. I'm just capturing this in various ways to show you the multiple ways that you could see that. For example, here you can see, okay, netcat was stopped, but we opened that port,

18:41

and this was the command that we had been running, and this was also what opened the port. So you could just figure out like why are suddenly new ports listening, and which user was that, what has been compromised, or where is stuff happening and breaking. One final thing that we have at the bottom here is we can check the file integrity. In the file integrity,

19:00

basically we can just monitor a folder or a file, hash it, and then every time the file changes, we will compare the hash and see that somebody changed the file. Which can also be interesting if suddenly your website is starting to serve some weird content. You might want to figure out when was it changed, and maybe which user changed it, or what were the actual actions they did on the file system.

19:21

So I'm watching my web directory, and to actually see something, we'll need to change that. So let's say, no, var, var lib, oh, var lib, HTML, index HTML.

19:42

Let's say, no, this is the wrong line. Undo, undo, undo. Let's say we're adding something here, so what this looks like is,

20:01

right now, it's just a welcome page. Not super fancy, but let's say somebody wants to add an emoji. This should work. Ah, crap.

20:21

And now, when you reload your page, ah, did it, okay, doesn't look that professional anymore,

20:41

but we do have another dashboard to actually figure out what happened here. So let's say, audit bit, audit bit, and we have a file integrity module. Let's say we just want to change this in the last 15 minutes. And then you can see here, we moved files,

21:02

and we created files. This is because VI's are having this weird replacement pattern. If you used nano or ed or something like that, you would just see a changed file. And if you scroll down, you can see which file's changed, and you can see the actual events where the file was created and replaced, et cetera.

21:23

So you can see all the changes on the file system for that as well. And I think that's pretty much it. You did very well on the slides. If you want to try it out yourself, I'm not giving you the root user, but you can use the other user. It's the elastic user and the password is secret.

21:41

And you cannot create or change anything on the dashboards, but you can look at all the existing dashboards and just filter down on them if you want to play around with that. I let that run for another day or so, then I'll just throw it away. Please don't start sending spam or anything else. Just do some proper research. If you want to get all the configurations,

22:01

I have those on GitHub. You can just look at the configurations and set it up. It's just Terraform and Ansible to set up my instance automatically, and I will just destroy it tomorrow again with that. Yeah, there are some similar solutions. Look at those if you're interested, or look at Auditbeat. That's what we are trying to do and put in our stack.

22:21

And with that, we have two minutes for questions. Any questions? Okay, while the microphone is on the way to you, is anybody using Auditbeat already, just out of curiosity? Okay, not that many, not yet.

22:43

Hi, thank you for the slides and a great presentation. What are the next steps? So we have collected a lot of audit events, and are there automations or some further stuff that you reach automatically? So it's a kind of a manual stuff until,

23:01

so we have to get into Kibana, and let's try to find some events. Yes, so there are two things. However, they are how my salary is being paid. So those are commercial features, so you get them on our cloud service included. We have something called alerting, where you just specify rules, and it will send you Slack, SMS,

23:22

Pager, YouTube, whatever. The other thing that is very helpful in that regard probably is we have something called machine learning, but machine learning is a super overloaded term. It's anomaly detection of time series. So it basically learns what is normal. That could be like logins or failed logins per user, or started processes, or which ports are open. And it just learns that over time it knows, for example,

23:42

during the week you have like a regular curve, and on the weekend it's much lower. And then if you have an outlier, for example, if a Saturday looks like a weekday, it would just alert you because it knows what the pattern is that it is expecting. So for example, if you have normally very few login attempts over the weekend because you're kind of in cooperation and nobody's working on the weekend, it could just alert you and tell you,

24:01

somebody is trying to do as many logins as during the week, which might otherwise with strict alerting rules be very hard to find. So we have these commercial add-ons, but admittedly they're commercial because that is how we finance the rest of the stack. But to get the events, that is all free

24:21

and you can just go crazy with that. All the stuff I've shown you is Apache 2 licensed. Thank you. Cool, I think we have one more minute. If anybody else wants to, okay. I was wondering, so you have very nice rules you can give.

24:45

Sorry, yeah. Now if you end up with quite an extensive rule set, how heavy would that be for your system? I mean, it would not be the first time that all the thing or mounting would like take down the system.

25:01

Obviously if you have too many rules it could take down your system.