Ukwamukelwa okusabalele kwe-cloud computing kusiza izinkampani ukuthi zikhulise ibhizinisi labo. Kodwa ukusetshenziswa kwamapulatifomu amasha kusho futhi ukuvela kwezinsongo ezintsha. Ukugcina iqembu lakho ngaphakathi kwenhlangano enesibopho sokuqapha ukuphepha kwezinsizakalo zamafu akuwona umsebenzi olula. Amathuluzi okuqapha akhona ayabiza futhi ahamba kancane. Ngokwezinga elithile, zinzima ukuzilawula uma kuziwa ekutholeni ingqalasizinda yamafu enkulukazi. Ukuze zigcine ukuphepha kwazo kwamafu kusezingeni eliphezulu, izinkampani zidinga amathuluzi anamandla, aguquguqukayo, nahlakaniphile adlula lokho obekutholakala ngaphambilini. Kulapho ubuchwepheshe bomthombo ovulekile busiza khona kakhulu, busiza ukulondoloza ibhajethi yezokuphepha futhi budalwe ochwepheshe abazi okuningi ngebhizinisi labo.
I-athikili, ukuhumushwa kwayo esiyishicilelayo namuhla, inikezela ngesifingqo samathuluzi angu-7 omthombo ovulekile wokuqapha ukuphepha kwezinhlelo zamafu. Lawa mathuluzi enzelwe ukuvikela kubagebengu be-inthanethi kanye nezigebengu ze-inthanethi ngokuthola okudidayo nemisebenzi engaphephile.
1. I-Osquery
iwuhlelo lokuqapha nokuhlaziya okusezingeni eliphansi kwezinhlelo zokusebenza ezivumela ochwepheshe bezokuphepha ukuthi benze imayini yedatha eyinkimbinkimbi besebenzisa i-SQL. Uhlaka lwe-Osquery lungasebenza ku-Linux, macOS, Windows kanye neFreeBSD. Imele isistimu yokusebenza (OS) njengesizindalwazi esisebenza kahle sobudlelwano. Lokhu kuvumela ochwepheshe bezokuphepha ukuthi bahlole i-OS ngokusebenzisa imibuzo ye-SQL. Isibonelo, usebenzisa umbuzo, ungathola mayelana nezinqubo ezisebenzayo, amamojula e-kernel alayishiwe, ukuxhumeka kwenethiwekhi okuvulekile, izandiso zesiphequluli ezifakiwe, imicimbi ye-hardware, nama-hashes wefayela.
Uhlaka lwe-Osquery lwakhiwe ngu-Facebook. Ikhodi yayo yavulwa ngo-2014, ngemuva kokuba inkampani ibone ukuthi kwakungeyona kuphela ngokwayo eyayidinga amathuluzi okuqapha izindlela ezisezingeni eliphansi zezinhlelo zokusebenza. Kusukela lapho, i-Osquery isetshenziswe ngochwepheshe bezinkampani ezifana ne-Dactiv, Google, Kolide, Trail of Bits, Uptycs, nezinye eziningi. Bekusanda ukuthi i-Linux Foundation kanye ne-Facebook bazokwakha isikhwama sokusekela i-Osquery.
I-daemon yokuqapha yomsingathi we-Osquery, ebizwa ngokuthi i-osqueryd, ikuvumela ukuthi uhlele imibuzo eqoqa idatha kuyo yonke ingqalasizinda yenhlangano yakho. I-daemon iqoqa imiphumela yemibuzo futhi idale amalogi abonisa izinguquko esimweni sengqalasizinda. Lokhu kungasiza ochwepheshe bezokuvikela bahlale bazi ngesimo sesistimu futhi kusiza kakhulu ukukhomba okudidayo. Amandla okuhlanganisa ilogu ye-Osquery angasetshenziswa ukuze akusize uthole uhlelo olungayilungele ikhompuyutha olwaziwayo nongaziwa, kanye nokukhomba lapho abahlaseli bangene khona ohlelweni lwakho futhi bathole ukuthi yiziphi izinhlelo abazifakile. Funda kabanzi mayelana nokutholwa kwe-anomaly usebenzisa i-Osquery.
2.GoAudit
Uhlelo iqukethe izingxenye ezimbili ezibalulekile. Eyokuqala ikhodi yeleveli ye-kernel eklanyelwe ukuvimbela nokuqapha izingcingo zesistimu. Ingxenye yesibili i-daemon yesikhala somsebenzisi ebizwa . Inesibopho sokubhala imiphumela yocwaningo kudiski. , uhlelo oludalwe yinkampani futhi yakhululwa ngo-2016, okuhloswe ngayo ukuvala i-auditd. Ithuthukise amakhono okugawula ngokuguqula imilayezo yemicimbi yemigqa eminingi ekhiqizwe isistimu yokuhlola ye-Linux ibe amabhulogu e-JSON eyodwa ukuze ahlaziyeke kalula. Nge-GoAudit, ungafinyelela ngokuqondile izindlela ezisezingeni le-kernel ngenethiwekhi. Ngaphezu kwalokho, ungavumela ukuhlunga komcimbi okuncane kumsingathi uqobo (noma ukukhubaza ngokuphelele ukuhlunga). Ngesikhathi esifanayo, i-GoAudit iphrojekthi eklanyelwe hhayi kuphela ukuqinisekisa ukuphepha. Leli thuluzi lidizayinelwe njengethuluzi elinothile ngesici losekelo lwesistimu noma ochwepheshe bokuthuthukisa. Isiza ukulwa nezinkinga kwingqalasizinda emikhulu.
Isistimu ye-GoAudit ibhalwe ngesi-Golang. Iwulimi oluphephile nolusebenza kahle kakhulu. Ngaphambi kokufaka i-GoAudit, hlola ukuthi inguqulo yakho ye-Golang ingaphezu kuka-1.7.
3. Grapl
Le phrojekthi (I-Graph Analytics Platform) idluliselwe esigabeni somthombo ovulekile ngoMashi wonyaka odlule. Kuyinkundla entsha uma kuqhathaniswa yokuthola izinkinga zokuphepha, ukwenza i-computer forensics, kanye nokukhiqiza imibiko yezigameko. Abahlaseli bavame ukusebenza besebenzisa okuthile okufana nemodeli yegrafu, bethola ukulawula kwesistimu eyodwa futhi bahlole amanye amasistimu enethiwekhi kusukela kuleyo sistimu. Ngakho-ke, kungokwemvelo ukuthi abavikeli besistimu bazophinde basebenzise indlela esekelwe kumodeli yegrafu yokuxhumana kwezinhlelo zenethiwekhi, kucatshangelwa izici ezingavamile zobudlelwano phakathi kwamasistimu. I-Grapl ibonisa umzamo wokusebenzisa ukutholwa kwesigameko kanye nezinyathelo zokuphendula ngokusekelwe kumodeli yegrafu kunemodeli yelogi.
Ithuluzi le-Grapl lithatha amalogi ahlobene nokuvikeleka (amalogi e-Sysmon noma amalogi ngefomethi evamile ye-JSON) futhi liwaguqulele abe ama-subgraphs (okuchaza “ubunikazi” benodi ngayinye). Ngemva kwalokho, ihlanganisa izigatshana zibe igrafu evamile (Igrafu Eyinhloko), emele izenzo ezenziwa ezindaweni ezihlaziywe. I-Grapl ibe isisebenzisa Izihlaziyi kugrafu engumphumela isebenzisa “amasiginesha abahlaseli” ukuze ikhombe okudidayo namaphethini asolisayo. Uma umhlaziyi ekhomba i-subgraph engaphansi esolisayo, i-Grapl ikhiqiza ukwakhiwa kokuhlanganyela okuhloselwe ukuphenywa. Ukuzibandakanya kuyikilasi lePython elingalayishwa, ngokwesibonelo, ku-Jupyter Notebook efakwe endaweni ye-AWS. I-Grapl, ngaphezu kwalokho, ingakhuphula isikali sokuqoqwa kolwazi lophenyo lwesigameko ngokunwetshwa kwegrafu.
Uma ufuna ukuqonda kangcono i-Grapl, ungabheka ividiyo ethokozisayo - ukuqoshwa kokusebenza okuvela ku-BSides Las Vegas 2019.
4. I-OSSEC
iphrojekthi eyasungulwa ngo-2004. Le phrojekthi, ngokuvamile, ingabonakala njengenkundla yokuqapha ukuphepha yomthombo ovulekile eyenzelwe ukuhlaziya abasingathi kanye nokutholwa kokungena. I-OSSEC ilandwa izikhathi ezingaphezu kuka-500000 ngonyaka. Le nkundla isetshenziswa kakhulu njengendlela yokuthola ukungena kwamaseva. Ngaphezu kwalokho, sikhuluma kokubili izinhlelo zendawo kanye namafu. I-OSSEC ivame ukusetshenziswa njengethuluzi lokuhlola amalogi okuqapha nokuhlaziya ama-firewall, amasistimu okuthola ukungena, amaseva ewebhu, kanye nokutadisha izingodo zokuqinisekisa.
I-OSSEC ihlanganisa amandla oHlelo Lokutholwa Kokungeniswa Okusekelwe Kusokhaya (HIDS) nohlelo Lokulawulwa Kwesigameko Sokuphepha (i-SIM) kanye nohlelo Lolwazi Lokuphepha Nokuphathwa Kwemicimbi (SIEM). I-OSSEC futhi ingaqapha ubuqotho befayela ngesikhathi sangempela. Lokhu, ngokwesibonelo, kuqapha ukubhaliswa kweWindows futhi kuthola ama-rootkits. I-OSSEC iyakwazi ukwazisa ababambiqhaza ngezinkinga ezitholiwe ngesikhathi sangempela futhi isiza ukuphendula ngokushesha ezinsongweni ezitholiwe. Le nkundla isekela i-Microsoft Windows kanye nezinhlelo eziningi zesimanje ezifana ne-Unix, ezihlanganisa i-Linux, i-FreeBSD, i-OpenBSD ne-Solaris.
Inkundla ye-OSSEC iqukethe isikhungo sokulawula esimaphakathi, umphathi, osetshenziselwa ukuthola nokuqapha ulwazi oluvela kuma-ejenti (izinhlelo ezincane ezifakwe kumasistimu adinga ukugadwa). Umphathi ufakwe kusistimu ye-Linux, egcina isizindalwazi esisetshenziselwa ukuhlola ubuqotho bamafayela. Iphinde igcine amalogi namarekhodi emicimbi kanye nemiphumela yokuhlolwa kwesistimu.
Iphrojekthi ye-OSSEC okwamanje isekelwa yi-Atomicorp. Inkampani yengamela inguqulo yamahhala yomthombo ovulekile, futhi, ngaphezu kwalokho, izipesheli inguqulo yokuhweba yomkhiqizo. podcast lapho umphathi wephrojekthi ye-OSSEC ekhuluma ngenguqulo yakamuva yohlelo - OSSEC 3.0. Iphinde ikhulume ngomlando wephrojekthi, nokuthi ihluke kanjani ezinhlelweni zesimanje zezentengiselwano ezisetshenziswa emkhakheni wokuphepha kwekhompyutha.
5. meerkat
iphrojekthi yomthombo ovulekile egxile ekuxazululeni izinkinga ezinkulu zokuphepha kwekhompyutha. Ikakhulukazi, ihlanganisa isistimu yokuthola ukungena, isistimu yokuvimbela ukungena, kanye nethuluzi lokuqapha ukuphepha kwenethiwekhi.
Lo mkhiqizo uvele ngo-2009. Umsebenzi wakhe usekelwe emithethweni. Okungukuthi, lowo oyisebenzisayo unethuba lokuchaza izici ezithile zethrafikhi yenethiwekhi. Uma umthetho ucushiwe, i-Suricata ikhiqiza isaziso, ivimbe noma inqamule uxhumano olusolisayo, okuyinto, futhi, incike emithethweni ecacisiwe. Le phrojekthi futhi isekela ukusebenza okunezintambo eziningi. Lokhu kwenza kube nokwenzeka ukucubungula ngokushesha inombolo enkulu yemithetho kumanethiwekhi aphethe umthamo omkhulu wethrafikhi. Ngenxa yokusekelwa kwezintambo eziningi, iseva ejwayelekile ngokuphelele iyakwazi ukuhlaziya ngempumelelo ithrafikhi ehamba ngesivinini esingu-10 Gbit/s. Kulesi simo, umlawuli akudingeki akhawule isethi yemithetho esetshenziselwa ukuhlaziywa kwethrafikhi. I-Suricata futhi isekela i-hashing kanye nokubuyiswa kwefayela.
I-Suricata ingalungiselelwa ukuthi isebenze kumaseva avamile noma emishinini ebonakalayo, njenge-AWS, isebenzisa isici esisanda kwethulwa emkhiqizweni. .
Le phrojekthi isekela imibhalo ye-Lua, engasetshenziswa ukudala ingqondo eyinkimbinkimbi neningiliziwe yokuhlaziya amasignesha asongelayo.
Iphrojekthi ye-Suricata iphethwe yi-Open Information Security Foundation (OISF).
6. Zeek (Bro)
NjengoSuricata, (le phrojekthi phambilini ibibizwa ngokuthi i-Bro futhi yaqanjwa kabusha ngokuthi i-Zeek ku-BroCon 2018) futhi iyisistimu yokutholwa kokungena kanye nethuluzi lokuqapha ukuphepha kwenethiwekhi elikwazi ukubona okudidayo okufana nomsebenzi osolisayo noma oyingozi. I-Zeek ihlukile ku-IDS yomdabu ngokuthi, ngokungafani namasistimu asekelwe emithethweni athola okuhlukile, i-Zeek iphinde ithwebule imethadatha ehlotshaniswa nokwenzeka kunethiwekhi. Lokhu kwenziwa ukuze kuqondwe kangcono umongo wokuziphatha kwenethiwekhi okungajwayelekile. Lokhu kuvumela, isibonelo, ngokuhlaziya ikholi ye-HTTP noma inqubo yokushintshisana ngezitifiketi zokuphepha, ukubheka umthetho olandelwayo, kuzihloko zephakethe, kumagama wesizinda.
Uma sibheka i-Zeek njengethuluzi lokuphepha lenethiwekhi, khona-ke singasho ukuthi inikeza uchwepheshe ithuba lokuphenya isigameko ngokufunda ngokwenzekile ngaphambi noma phakathi nesigameko. I-Zeek iphinde iguqule idatha yethrafikhi yenethiwekhi ibe imicimbi yezinga eliphezulu futhi inikeza ikhono lokusebenza nomhumushi weskripthi. Umhumushi usekela ulimi lokuhlela olusetshenziselwa ukuhlanganyela nemicimbi kanye nokuthola ukuthi lezo zenzakalo zisho ukuthini mayelana nokuphepha kwenethiwekhi. Ulimi lokuhlela lwe-Zeek lungasetshenziswa ukwenza ngendlela oyifisayo imethadatha ehunyushwa ukuze ivumelane nezidingo zenhlangano ethile. Ikuvumela ukuthi wakhe izimo ezinengqondo eziyinkimbinkimbi usebenzisa ama-opharetha KANYE, NOMA kanye HHAYI. Lokhu kunikeza abasebenzisi amandla okwenza ngendlela oyifisayo ukuthi izindawo zabo zihlaziywa kanjani. Kodwa-ke, kufanele kuqashelwe ukuthi, uma kuqhathaniswa ne-Suricata, i-Zeek ingase ibonakale njengethuluzi eliyinkimbinkimbi lapho iqhuba ukucutshungulwa kokusongela kwezokuphepha.
Uma uthanda imininingwane eyengeziwe mayelana ne-Zeek, sicela uthinte ividiyo.
7. I-Panther
iyinkundla enamandla, yendabuko yamafu yokuqapha ukuphepha okuqhubekayo. Isanda kudluliselwa esigabeni somthombo ovulekile. Umakhi oyinhloko usemsuka wephrojekthi - izixazululo zokuhlaziywa kwelogi okuzenzakalelayo, ikhodi yayo eyavulwa yi-Airbnb. I-Panther inikeza umsebenzisi isistimu eyodwa yokuthola izinsongo kuzo zonke izindawo futhi ihlele impendulo kuzo. Lolu hlelo luyakwazi ukukhula kanye nobukhulu bengqalasizinda ehlinzekwayo. Ukutholwa kosongo kusekelwe emithethweni esobala, enqumayo yokunciphisa amaphuzu angamanga kanye nomsebenzi ongadingekile wochwepheshe bezokuphepha.
Phakathi kwezici eziyinhloko zePanther kukhona okulandelayo:
- Ukutholwa kokufinyelela okungagunyaziwe kuzinsiza ngokuhlaziya amalogi.
- Ukutholwa kosongo, kwenziwa ngokusesha izingodo zezinkomba ezibonisa izinkinga zokuphepha. Ukusesha kwenziwa kusetshenziswa izinkambu zedatha ezijwayelekile ze-Panter.
- Ihlola isistimu ukuthi iyahambisana namazinga we-SOC/PCI/HIPAA kusetshenziswa Izindlela ze-panther.
- Vikela izinsiza zakho zamafu ngokulungisa ngokuzenzakalela amaphutha okumisa angabangela izinkinga ezinkulu uma exhashazwa abahlaseli.
I-Panther ifakwe efwini lenhlangano le-AWS kusetshenziswa i-AWS CloudFormation. Lokhu kuvumela umsebenzisi ukuthi ahlale elawula idatha yakhe.
Imiphumela
Ukuqapha ukuphepha kwesistimu kuwumsebenzi obalulekile kulezi zinsuku. Ekuxazululeni le nkinga, izinkampani zanoma yimuphi usayizi zingasizwa ngamathuluzi omthombo ovulekile ahlinzeka ngamathuba amaningi futhi angabizi lutho noma mahhala.
Bafundi abathandekayo! Imaphi amathuluzi okuqapha ezokuphepha owasebenzisayo?
Source: www.habr.com