Download - SHOWDOWN: Threat Stack vs. Red Hat AuditD
![Page 1: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/1.jpg)
SHOWDOWN: Threat Stack
vs. RedHat AuditD
By Jen Andre, Co-Founder Threat Stack
![Page 2: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/2.jpg)
We like magic.
![Page 3: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/3.jpg)
But since magic isn’t real, we have to come up with the next best thing to make our agent the best in its class.
![Page 4: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/4.jpg)
Savvy operations and security people that use our service are blown away by the types of
information the Threat Stack agent can collect, correlate, and analyze
from Linux servers.
![Page 5: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/5.jpg)
“I’ve tried to do this with (Red Hat) audits with little to no success …how do you guys do it?” they say.
![Page 6: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/6.jpg)
The Linux audit subsystem is a very powerful way to collect information about system calls
and other security-relevant activity.
![Page 7: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/7.jpg)
The best part…
No kernel module is required to enable this detailed level of auditing
since it’s built right into Linux!
![Page 8: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/8.jpg)
You can write a log anytime a particular system call happens, whether that be unlink or getpid.
![Page 9: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/9.jpg)
And since the auditing operates at such a low level, the granularity
of information is incredibly useful.
![Page 10: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/10.jpg)
Traditionally, people have used the user land daemon ‘auditd’ built by some good Red Hat folks to collect and consume this data.
![Page 11: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/11.jpg)
However, there are a couple of problems with traditional open source auditd and auditd libraries
that we’ve had to deal with ourselves…
![Page 12: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/12.jpg)
…especially when trying to run it on performance sensitive systems and make sense of the obtuse
data that traditional auditd spits out.
![Page 13: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/13.jpg)
To that effect, we’ve written a custom audit listener from the ground up for the Threat Stack agent
(tsauditd)
![Page 14: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/14.jpg)
This is what makes Threat Stack’s audit listener special…
![Page 15: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/15.jpg)
1. Performance Enhancements
Many people have tried to use traditional Red Hat audits in production to do very detailed auditing of user,
process, and network syscall activity, but have failed due to the performance impact.
![Page 16: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/16.jpg)
We’ve ensured that our agent is responsible with resource utilization
through our unique parsing model.
![Page 17: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/17.jpg)
While benchmarking a web server, we saw auditd consume 120% of
the CPU! !
Threat Stack’s agent CPU consumption
was only 10%!
![Page 18: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/18.jpg)
2. Output Enhancements
This Linux audit system will output many different lines across disparate events into syscall, which you then have to correlate later via your ingestion
engine or your log management system…
![Page 19: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/19.jpg)
The key-value format is also cumbersome to parse,
and values are often encoded into hex randomly…
![Page 20: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/20.jpg)
We’ve decided that all related events should be grouped together and have conveniently
parsed everything correctly for you.
![Page 21: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/21.jpg)
We then transformed that into a JSON output format that is much
simpler to read and parse.
![Page 22: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/22.jpg)
3. Network tooling (“src/dst port”)
Tracking network connections across multiple hosts can be a manual and painful process when
trying to connect across boxes.
![Page 23: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/23.jpg)
To make it easier, our agent adds metadata to network connection events to determine where the connection is
originating from and where it is going.
![Page 24: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/24.jpg)
Our backend then correlates these network events to determine the originating process and potential user activity
that caused that network event, so long as the agent lives on both the source and destination server.
![Page 25: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/25.jpg)
This is especially useful for tracking SSH sessions
across your environment and debugging what servers are speaking to one another and why.
![Page 26: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/26.jpg)
4. User Activity Auditing
Digging around the server logs to see where a user on your system went is not an easy job.
![Page 27: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/27.jpg)
You’d need to manually find the agent and session that a user connected to, yet all the kernel gives us is a nasty hex
encoding string representing the connection address in the traditional auditd logs!
![Page 28: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/28.jpg)
On top of that, most of the information logged by auditd is not really relevant, and
hard for the human eye to parse.
![Page 29: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/29.jpg)
To correct that…
We’ve designed Threat Stack to keep storage of events, activity, and commands associated with a logged in user, and automatically reconstruct this information into a
clean, compact, and readable timeline.
![Page 30: SHOWDOWN: Threat Stack vs. Red Hat AuditD](https://reader034.vdocuments.mx/reader034/viewer/2022050919/5481eb045806b5d9048b45e9/html5/thumbnails/30.jpg)
Stay tuned for more engineering feats we are accomplishing at Threat Stack…