Universal*Forwarder*Security:** Don't Input More*Than . - Splunk
1y ago
21 Views
1 Downloads
9.04 MB
35 Pages
Report/dmca
Download PDF

Transcription

Copyright and&Ma@UebelSecurityEngineer,DefensePointSecurity

Ma@Uebel2

TravisHolland3

oraSons. ear2015 20 SplunkCerSfiedArchitectsonStaff WeuseSplunktoachievemanyoftheexperSsedomainsabove4

Agenda oluSonstotheproblem AutomaSonscriptsandsnippets 5

dmins?6

ExploitaSon- ullyescalatedfromnon- geswithDPSCommunity7

ExploitaSon- ‐UniversalForwarderEscalaSonfromnon- ‐roottorootviatheUniversalForwarder1. Createroguedeploymentserver2. Changethedeploymentserveroftheuniversalforwarder3. RestarttheUniversalForwarder4. CreateexploitaSonAppa. Appreturnsarootshell5. DeployApp- ‐Reaptherewards8

ExploitaSon- reforwardersappropriately9

TheUFDeploymentPlanUsuallysimply“yum/apt- ecanbedone10

eploymentServerFirewallRulesSSLCerSficates11

Runasnon- ‐root ult)/opt/splunkforwarder/bin/splunk enable boot-start -user splunkchown -R splunk:splunk /opt/splunkforwarder Lockdownsplunk- ‐launch.conf,whichcontainsrunasuserconfigchown root:splunk /opt/splunk/etc/splunk-launch.confchmod 644 /opt/splunk/etc/splunk-launch.conf12

ReadingFilesasnon- ‐root ,orsimplychangegroupownershiptosplunkgroupadd syslogchown -R :syslog /var/logchmod -R g s /var/logusermod -a -G syslog splunk13

ReadingFilesasnon- ‐rootcont. Usualdefaultshave/var/logunreadablebynon- ‐rootusersetfacl -Rm u:splunk:r-x,d:u:splunk:r-x /var/log /etc/audit/auditd.conflog group splunk p -R splunk /var/log/auditchmod 0750 /var/log/auditchmod 0640 /var/log/audit/*14

WindowsLow- ‐privilegeMode yalocalordomainusermsiexec.exe /i splunkforwarder.msi AGREETOLICENSE YesLOGON USERNAME " env:computername\splunk"LOGON PASSWORD " password" SET ADMIN USER 0LAUNCHSPLUNK 0 /qn15

eploymentServerFirewallRulesSSLCerSficates16

ChangeAdminPassword(nix) Bashscripttosetadminpasswordtorandomstring SPLUNK HOME/bin/splunk edit user admin -password head -c 500 /dev/urandom sha256sum base64 head -c 16 ; echo -auth SOLUTION:Remove SPLUNK HOME/etc/passwd,restartsplunk17

ChangeAdminPassword(win) Generatetherandompassword.do { password (-join ((48.57) (65.90) (97.122) Get-Random -Count 14 % {[char] }))} until ( password -match "[0-9]" -and password -match "[a-z]" -and password -match "[A-Z]") Setthatpasswordforadminuser& " nk.exe" edit user admin -password ( password) -authadmin:changeme out-null18

eploymentServerFirewallRulesSSLCerSficates19

DisableManagementPort(nix) Createappdirectorymkdir -p /opt/splunkforwarder/etc/apps/UF-TA-killrest/local ementinterfaceecho '[httpServer]disableDefaultPort true' server.conf20

DisableManagementPort(win) Createappdirectorynew-item -path " \UF-TA-killrest\local" -ItemType "Directory" -force out-null ementinterface"[httpServer] r ndisableDefaultPort true" out-file " \UF-TA-killrest\local\server.conf" -force out-null21

eploymentServerFirewallRulesSSLCerSficates22

ingasroot/systemcaneasilytakeoveranenvironment23

ronmentindex internal sourcetype splunkd DeployedApplicationDownloaded url! your-ds-server*24

WhoHasAccesstoDS? nadminrole?25

MonitorDeployCapableUsers Whileinknowngoodstate,makelookup rest splunk server local /services/authentication/users searchcapabilities edit deployment* OR capabilities list deployment* evalusername title eval permitted "True" table username permitted outputlookup deploy capable users.csv26

MonitorDeployCapableUserscont. Onsomeschedule,searchtofindanyusersnotinlookup rest splunk server local /services/authentication/users searchcapabilities edit deployment* OR capabilities list deployment* evalusername title table username lookup deploy capable users.csvusername OUTPUTNEW permitted search NOT permitted *27

WatchingAuditLogforBundleReloads UsefulinparScularforoffhourseventsindex audit action list deployment server info grantedobject " reload" operation " reload"28

GatherBashHistory system CanaddalayerofprotecSonbygatheringbashcommands Seerepoformoredetails29

eploymentServerFirewallRulesSSLCerSficates30

mmunicaSon SplunkSSLConfiguraSonSSLipperySlope- ‐GeorgeandDuane'sSSLTalk izaSons31

eploymentServerFirewallRulesSSLCerSficates32

WhatNow? KeepingtheJunkOutofSplunkWorstPracSces ommandsFields,IndexedTokensandYou33

Links erspostonthetopicofreadinglogsasnon- orm)SplunkIRC- ‐#splunkonEFNet34

THANKYOU

Who*is*DPS?* ll*businesses*exclusively*providing*cyber* rnmentand .

Related Books

Best Practices for Splunk SSL (The SSLippery Slope Revisited)

Best Practices for Splunk SSL (The SSLippery Slope Revisited)

GLOSSARY INTERNATIONAL FREIGHT TERMS - Jillamy

GLOSSARY INTERNATIONAL FREIGHT TERMS - Jillamy

Ifö Sanitär AB Geberit Prod. OY Nordic Region - Descartes

Ifö Sanitär AB Geberit Prod. OY Nordic Region - Descartes

Building a Splunk-based Lumber Mill - Internet2

Building a Splunk-based Lumber Mill - Internet2

Life Insurance Product Portfolio - onlineagentmentor

Life Insurance Product Portfolio - onlineagentmentor

SolarWinds Kiwi Syslog Server - cdn.swcdn

SolarWinds Kiwi Syslog Server - cdn.swcdn

Evolving Log Analysis Jason McCord jmccord@kcp Jon .

Evolving Log Analysis Jason McCord jmccord@kcp Jon .

sensors Forward session keys to ExtraHop-managed

sensors Forward session keys to ExtraHop-managed

M -S C M - Vertican

M -S C M - Vertican

your forwarder customer - f.hubspotusercontent40

your forwarder customer - f.hubspotusercontent40

Integrate AS/400 - Netsurion

Integrate AS/400 - Netsurion

13 Things Mentally Strong People Don't Do: Take Back Your .

13 Things Mentally Strong People Don't Do: Take Back Your .

PopularTags

Recent Views