Ukwamkelwa okuxhaphakileyo kwecomputing yelifu kunceda iinkampani zikhulise ishishini labo. Kodwa ukusetyenziswa kwamaqonga amatsha kuthetha ukuvela kwezisongelo ezintsha. Ukugcina iqela lakho ngaphakathi kwintlangano ejongene nokubeka iliso kukhuseleko lweenkonzo zefu akuyona into elula. Izixhobo ezikhoyo zokubeka iliso ziyabiza kwaye zicotha. Zi, ukuya kuthi ga kwinqanaba elithile, kunzima ukulawula xa kuziwa ekukhuseleni iziseko zophuhliso zamafu. Ukugcina ukhuseleko lwabo lwamafu kwinqanaba eliphezulu, iinkampani zidinga izixhobo ezinamandla, eziguquguqukayo, kunye ne-intuitive ezihamba ngaphaya kwezinto ebezikhona ngaphambili. Apha kulapho itekhnoloji yomthombo ovulekileyo isiza kakhulu, inceda ukugcina uhlahlo lwabiwo-mali lokhuseleko kwaye yenziwe ziingcali ezazi kakhulu malunga neshishini labo.
Inqaku, inguqulelo esiyipapashayo namhlanje, ibonelela ngesishwankathelo sezixhobo ezivulekileyo ze-7 zokubeka iliso kukhuseleko lweenkqubo zamafu. Ezi zixhobo zenzelwe ukukhusela kubahlaseli kunye nabaphuli be-intanethi ngokufumanisa izinto ezingaqhelekanga kunye nemisebenzi engakhuselekanga.
1. I-Osquery
yinkqubo yokubeka iliso kwinqanaba eliphantsi kunye nohlalutyo lweenkqubo zokusebenza ezivumela iingcali zokhuseleko ukuba ziqhube imigodi yedatha enzima usebenzisa i-SQL. Isakhelo se-Osquery sinokusebenza kwiLinux, macOS, Windows kunye neFreeBSD. Imele inkqubo yokusebenza (OS) njengesiseko sedatha ephezulu yokusebenza. Oku kuvumela iingcali zokhuseleko ukuba zihlole i-OS ngokuqhuba imibuzo yeSQL. Ngokomzekelo, usebenzisa umbuzo, unokufumana malunga neenkqubo ezisebenzayo, iimodyuli ze-kernel ezilayishiwe, uqhagamshelo lwenethiwekhi evulekileyo, i-extension browser efakiweyo, iziganeko ze-hardware, kunye neefayile ze-hashes.
Isakhelo se-Osquery senziwe nguFacebook. Ikhowudi yayo yavulwa kwi-2014, emva kokuba inkampani iqaphele ukuba kwakungeyona kuphela ngokwayo efuna izixhobo zokubeka iliso kwiindlela ezisezantsi zeenkqubo zokusebenza. Ukusukela ngoko, i-Osquery isetyenziswe ziingcali ezivela kwiinkampani ezinjengeDactiv, Google, Kolide, Trail of Bits, Uptycs, kunye nabanye abaninzi. Bekutsha nje ukuba i-Linux Foundation kunye ne-Facebook baya kwenza ingxowa-mali yokuxhasa i-Osquery.
I-daemon yomgcini we-Osquery, ebizwa ngokuba yi-osqueryd, ikuvumela ukuba ucwangcise imibuzo eqokelela idatha kwiziseko zoncedo zombutho wakho. I-daemon iqokelela iziphumo zemibuzo kwaye yenza iilogi ezibonisa utshintsho kwimeko yeziseko. Oku kunokunceda abachwephesha bokhuseleko bahlale benolwazi ngobume benkqubo kwaye kuluncedo kakhulu ekuchongeni izinto ezingaqhelekanga. Ilog ye-Osquery's aggregation capabilities inokusetyenziselwa ukukunceda ufumane i-malware eyaziwayo nengaziwayo, kunye nokuchonga apho abahlaseli bangene khona kwinkqubo yakho kwaye bafumane ukuba zeziphi iinkqubo abazifakileyo. Funda ngakumbi malunga nokufunyanwa okungaqhelekanga usebenzisa i-Osquery.
2.GoAudit
Inkqubo inamalungu amabini aphambili. Eyokuqala yikhowudi yenqanaba le-kernel eyenzelwe ukuthintela kunye nokubeka iliso kwiifowuni zenkqubo. Icandelo lesibini yidaemon yendawo yomsebenzisi ebizwa . Inoxanduva lokubhala iziphumo zophicotho kwidiski. , inkqubo eyenziwe yinkampani yaza yakhutshwa ngo-2016, ngenjongo yokuthatha indawo yophicotho-zincwadi. Iphucule izakhono zokugawulwa kwemithi ngokuguqula imiyalezo yeziganeko ezininzi eziveliswe yinkqubo yophicotho ye-Linux ibe yi-JSON blobs enye ukuze kuhlalutywe lula. NgeGoAudit, unokufikelela ngokuthe ngqo kwiindlela zomgangatho wekernel ngaphezulu komsebenzi womnatha. Ukongeza, unokwenza ukuhluzwa komnyhadala omncinci kumamkeli ngokwawo (okanye ukhubaze ngokupheleleyo ukucoca). Kwangaxeshanye, iGoAudit yiprojekthi eyenzelwe kungekuphela nje ukuqinisekisa ukhuseleko. Esi sixhobo siyilwe njengesixhobo esityebileyo sokuxhasa iinkqubo okanye iingcali zophuhliso. Inceda ukulwa iingxaki kwiziseko ezingundoqo.
Inkqubo yeGoAudit ibhalwe ngesiGolang. Lulwimi olukhuselekileyo nolusebenza kakhulu. Ngaphambi kokufaka iGoAudit, jonga ukuba inguqulelo yakho yeGolang iphezulu kune-1.7.
3. Grapl
Le projekthi (I-Graph Analytics Platform) idluliselwe kwicandelo lomthombo ovulekileyo ngoMatshi wonyaka ophelileyo. Liqonga elitsha noko lokubona iingxaki zokhuseleko, ukuqhuba i-computer forensics, kunye nokuvelisa iingxelo zeziganeko. Abahlaseli bahlala besebenza besebenzisa into efana nemodeli yegrafu, ukufumana ulawulo lwenkqubo enye kunye nokuphonononga ezinye iinkqubo zenethiwekhi eziqala kuloo nkqubo. Ke ngoko, kuyinto eqhelekileyo ukuba abakhuseli benkqubo bayakusebenzisa indlela esekwe kwimodeli yegrafu yoqhagamshelo lweenkqubo zothungelwano, kuthathelwa ingqalelo izinto ezingaqhelekanga zobudlelwane phakathi kweenkqubo. I-Grapl ibonisa umzamo wokuphumeza ukufumanisa isiganeko kunye nemilinganiselo yokuphendula ngokusekelwe kwimodeli yegrafu kunokuba imodeli yelogi.
Isixhobo se-Grapl sithatha iilogi ezinxulumene nokhuseleko (iilogi ze-Sysmon okanye iilogi kwifomathi ye-JSON eqhelekileyo) kwaye iguqule kwii-subgraphs (echaza "ubunikazi" kwi-node nganye). Emva koko, idibanisa ii-subgraphs kwigrafu eqhelekileyo (i-Master Graph), emele izenzo ezenziwa kwiindawo ezihlalutyiweyo. Emva koko i-Grapl iqhuba abaHlalutyi kwigrafu enesiphumo isebenzisa βiisignitsha zomhlaseliβ ukuchonga izinto ezingaqhelekanga kunye neepateni ezirhanelekayo. Xa umhlalutyi echonga i-subgraph ekrokrisayo, i-Grapl ivelisa i-Engagement construction ejoliswe kuphando. Uthethathethwano ludidi lwePython olunokulayishwa, umzekelo, kwiJupyter Notebook efakwe kwindawo ye-AWS. I-Grapl, ukongeza, inokwandisa isikali sokuqokelelwa kolwazi kuphando lwezehlo ngokwandisa igrafu.
Ukuba ufuna ukuqonda ngcono iGrapl, ungajonga ividiyo enomdla-ukurekhodwa kwentsebenzo evela kwi-BSides Las Vegas 2019.
4. I-OSSEC
yiprojekthi eyasekwa ngo-2004. Le projekthi, ngokubanzi, inokubonakaliswa njengeqonga lokujonga ukhuseleko lomthombo ovulekileyo olungiselelwe ukuhlalutya komkhosi kunye nokufumanisa ukungena. I-OSSEC ikhutshelwa ngaphezulu kwamaxesha angama-500000 ngonyaka. Eli qonga lisetyenziswa ikakhulu njengendlela yokufumanisa ukungena kwiiseva. Ngaphezu koko, sithetha malunga neendlela zombini zendawo kunye nefu. I-OSSEC ikwahlala isetyenziswa njengesixhobo sokuhlola nokuhlalutya iilogi zomlilo, iinkqubo zokubona ukungenelela, iiseva zewebhu, kunye nokufunda iilogi zobungqina.
I-OSSEC idibanisa amandla eNkqubo yokuHlola i-Intrusion Detection System (HIDS) kunye noLawulo lwezehlo zoKhuseleko (SIM) kunye nenkqubo yoLwazi lwezoKhuseleko kunye noLawulo lweMisitho (SIEM). I-OSSEC inokubeka iliso kwimfezeko yefayile ngexesha lokwenyani. Oku, umzekelo, kubeka iliso kwirejista yeWindows kwaye ibone i-rootkits. I-OSSEC iyakwazi ukwazisa abachaphazelekayo malunga neengxaki ezifunyenweyo ngexesha langempela kwaye inceda ukuphendula ngokukhawuleza kwiisongelo ezifunyenweyo. Eli qonga lixhasa uMicrosoft Windows kunye nezona nkqubo zangoku ezifana ne-Unix, eziquka iLinux, iFreeBSD, i-OpenBSD kunye neSolaris.
Iqonga le-OSSEC liquka iziko lolawulo oluphakathi, umphathi, osetyenziselwa ukufumana nokubeka iliso ulwazi oluvela kwii-arhente (iinkqubo ezincinci ezifakwe kwiisistim ezifuna ukubekwa esweni). Umphathi ufakwe kwisixokelelwano seLinux, esigcina idatabase esetyenziselwa ukujonga ingqibelelo yeefayile. Ikwagcina iilogi kunye neerekhodi zeziganeko kunye neziphumo zophicotho lwenkqubo.
Iprojekthi ye-OSSEC okwangoku ixhaswa yi-Atomicorp. Inkampani yongamela inguqulelo yomthombo ovulekileyo wasimahla, kwaye, ukongeza, inikezela inguqulelo yorhwebo yemveliso. podcast apho umphathi weprojekthi ye-OSSEC ethetha ngenguqu yamva nje yenkqubo - OSSEC 3.0. Ikwathetha ngembali yeprojekthi, kunye nendlela eyahluke ngayo kwiinkqubo zorhwebo zanamhlanje ezisetyenziswa kwintsimi yokhuseleko lwekhompyutha.
5. meerkat
yiprojekthi yomthombo ovulekileyo egxile ekusombululeni iingxaki eziphambili zokhuseleko lwekhompyuter. Ngokukodwa, ibandakanya inkqubo yokukhangela ukungena, inkqubo yokuthintela ukungena, kunye nesixhobo sokuhlola ukhuseleko lwenethiwekhi.
Le mveliso yavela kwi-2009. Umsebenzi wakhe usekelwe kwimithetho. Oko kukuthi, lowo uyisebenzisayo unethuba lokuchaza iimpawu ezithile zetrafikhi yenethiwekhi. Ukuba umgaqo ubangelwa, i-Suricata ivelisa isaziso, ukuvimba okanye ukuphelisa uxhulumaniso olusolisayo, oluthi, kwakhona, luxhomekeke kwimigaqo echaziweyo. Iprojekthi ikwaxhasa ukusebenza ngemisonto emininzi. Oku kwenza kube lula ukucubungula inani elikhulu lemithetho kwiinethiwekhi ezithwala umthamo omkhulu wezithuthi. Ngombulelo kwinkxaso ye-multi-threading, iseva eqhelekileyo ngokupheleleyo iyakwazi ukuhlalutya ngempumelelo ukuhamba kwezithuthi ngesantya se-10 Gbit / s. Kule meko, umlawuli akafuneki ukukhawulela isethi yemigaqo esetyenziselwa uhlalutyo lwendlela. I-Suricata ikwaxhasa i-hashing kunye nokufunyanwa kwefayile.
I-Suricata inokuqwalasela ukuba isebenze kwiiseva eziqhelekileyo okanye koomatshini abanenyani, abafana ne-AWS, isebenzisa into esanda kwaziswa kwimveliso. .
Iprojekthi ixhasa izikripthi ze-Lua, ezinokuthi zisetyenziswe ukudala ingqiqo enzima kunye eneenkcukacha zokuhlalutya izisayino zezoyikiso.
Iprojekthi yeSuricata ilawulwa yi-Open Information Security Foundation (OISF).
6. Zeek (Bhuti)
NjengoSuricata, (le projekthi ibifudula ibizwa ngokuba yi-Bro kwaye yaphinda yabizwa ngokuba yi-Zeek e-BroCon 2018) ikwayinkqubo yokubona ukungenelela kunye nesixhobo sokubeka iliso sokhuseleko lwenethiwekhi esinokubona izinto ezingaqondakaliyo okanye eziyingozi. I-Zeek yahlukile kwi-IDS yemveli ngokuba, ngokungafaniyo neenkqubo ezisekelwe kumthetho ezibona okungaqhelekanga, iZeek ikwabamba imetadata enxulumene nokwenzekayo kwinethiwekhi. Oku kwenziwa ukuze kuqondwe ngcono umxholo wokuziphatha okungaqhelekanga kwenethiwekhi. Oku kuvumela, umzekelo, ngokuhlalutya umnxeba we-HTTP okanye inkqubo yokutshintshana izatifikethi zokhuseleko, ukujonga iprotocol, kwiintloko zeepakethi, kumagama esizinda.
Ukuba sithatha iZeek njengesixhobo sokhuseleko lwenethiwekhi, ngoko sinokuthi inika ingcali ithuba lokuphanda isiganeko ngokufunda malunga nento eyenzekayo ngaphambi okanye ngexesha lesiganeko. I-Zeek ikwaguqula idatha yetrafikhi yomnatha kwimisitho ephezulu kwaye ibonelela ngesakhono sokusebenza kunye netoliki yeskripthi. Itoliki isekela ulwimi lwenkqubo olusetyenziselwa ukusebenzisana neziganeko kunye nokufumanisa ukuba yintoni kanye kanye ezo ziganeko zithetha ngokubhekisele kukhuseleko lwenethiwekhi. Ulwimi lwenkqubo lweZeek lunokusetyenziswa ukwenza indlela imetadata etolikwa ngayo ukuze ihambelane neemfuno zombutho othile. Ikuvumela ukuba wakhe iimeko ezinzima ezisengqiqweni usebenzisa i-AND, OKANYE HAYI abaqhubi. Oku kunika abasebenzisi amandla okwenza ngendlela eyiyo indlela imo engqongileyo ecazululwa ngayo. Nangona kunjalo, kufuneka kuqatshelwe ukuba, xa kuthelekiswa ne-Suricata, i-Zeek inokubonakala ngathi sisixhobo esintsokothileyo xa siqhuba ukujongwa kwakhona kwesisongelo sokhuseleko.
Ukuba unomdla kwiinkcukacha ezingaphezulu malunga neZeek, nceda uqhagamshelane ividiyo.
7. I-Panther
liqonga elinamandla, lemveli lendalo elilifu lokujonga ukhuseleko oluqhubekayo. Kutshanje idluliselwe kwicandelo lomthombo ovulekileyo. Umyili ophambili ukwimvelaphi yeprojekthi - izisombululo zohlalutyo lwelogi oluzenzekelayo, ikhowudi evulwe ngu-Airbnb. I-Panther inika umsebenzisi inkqubo enye yokukhangela izisongelo kwindawo yonke kunye nokulungiselela impendulo kuzo. Le nkqubo iyakwazi ukukhula kunye nobukhulu beziseko eziluncedo. Ukufunyanwa kwesongelo kusekelwe kwimithetho ecacileyo, ecacileyo yokunciphisa iimpembelelo zobuxoki kunye nomthwalo ongeyomfuneko wabasebenzi bezokhuseleko.
Phakathi kwezinto eziphambili zePanther zilandelayo:
- Ukufunyanwa kokufikelela okungagunyaziswanga kwizibonelelo ngokuhlalutya iilogi.
- Ukufunyaniswa kwesoyikiso, kuphunyezwe ngokukhangela iingodo zezalathi ezibonisa iingxaki zokhuseleko. Ukukhangela kuqhutywa kusetyenziswa iindawo zedatha ezisemgangathweni zePanter.
- Ukujonga inkqubo yokuthobela imigangatho yeSOC/PCI/HIPAA usebenzisa Iindlela zePanther.
- Khusela izixhobo zakho zelifu ngokulungisa ngokuzenzekelayo iimpazamo zoqwalaselo ezinokubangela iingxaki ezinzulu ukuba zisetyenziswe ngabahlaseli.
I-Panther ifakwe kwilifu le-AWS yombutho usebenzisa i-AWS CloudFormation. Oku kuvumela umsebenzisi ukuba ahlale elawula idatha yakhe.
Iziphumo
Ukubeka iliso kwinkqubo yokhuseleko ngumsebenzi obalulekileyo kule mihla. Ekusombululeni le ngxaki, iinkampani zaso nasiphi na isayizi zinokuncediswa zizixhobo ezivulekileyo zomthombo obonelela ngamathuba amaninzi kwaye zibiza phantse nantoni na okanye zisimahla.
Bafundi abathandekayo! Zeziphi izixhobo esweni ukhuseleko oyisebenzisayo?
umthombo: www.habr.com