Lab 5.1 Auditbeat Kibana Dashboards - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Helpful Info

The Public IPv4 address will change every new session. Current IPv4 address in use: 3.82.245.175

to access your instance ssh -i hannelore-elk-key.pem ubuntu@public key

Private IPv4 address is : 172.31.87.23

When next login your system make sure to start everything again

• Start in this order: Elasticsearch, Logstash, Kibana

To get to the kibana dashboard type http://public-ip:5601 into your browser

Helpful Vocab!

Lab Prep

1. Access AWS Console and make sure Instance is running
2. SSH into instance - and
   • Start elasticsearch
   • Start Logstash
   • Start Kibana
   • Start Auditbeat
3. Make sure that you can access Kibana and see some data from Auditbeat

Step 1: Security Monitoring with Auditbeat

For this lab, you will utilize the Auditbeat Dashboards to find evidence of activities that you perform on the server.

Data Generation

Install a new package

• Install 7zip (apt install 7zip)

User Creation

• Create a new user on your ubuntu server with the adduser command

Allow password authentication

• Edit /etc/ssh/sshd_config and change “PasswordAuthentication” from No to Yes
• Restart sshd (systemctl restart sshd)

Use SSH to login as your new user

• Can open a second terminal/Powershell
• Ssh your_new_user@your_public_ip

As the new user

• Try “curl”-ing for a web page
• Use google’s nameserver for DNS lookups
  • Type “nslookup”
  • At prompt, type: server 8.8.8.8
  • Then, query for some domains like champlain.edu
  • Type “exit” to leave nslookup prompt

Data Identification

From Kibana - go to Dashboards - and explore the Auditbeat Dashboards. Find the correct Dashboard and locate evidence of the actions that you took:

Screenshot of dashboard and entry showing that 7zip package was added

Screenshot of “filtered” dashboard showing the New User (user_added)

Screenshot of dashboard showing successful login

Screenshot of filtered dashboard showing curl and nslookup network connections by your new user

curl

nslookup

Step 2 - Exploring Auditbeat File Integrity Monitoring

File Integrity Monitoring (FIM) is a critical cybersecurity operations practice. Many cybersecurity regulations require FIM to be in place on any systems hosting or processing sensitive data. Auditbeat includes the ability to due FIM and has a corresponding Kibana Dashboard

Take a look at /etc/auditbeat/auditbeat.yml - and the section labeled “module: file_integrity”

• You will see a number of paths that are being monitored such as “bin”, “sbin”, “etc”

Explore the Auditbeat File Integrity Monitor Dashboard

• You should see some events based on changes to files in /etc
• However, what about the change you made to /etc/ssh/sshd_config?
  • It is not there because by default, Auditbeat FIM does not include child folders (it is non-recursive)
• Okay - lets make some changes to our filesystem and to Auditbeat to enhance monitoring
  • It is possible to load the file_integrity module within auditbeat.yml multiple times so that different folders can have different settings
  • Comment out /etc in the existing “paths:” section
  • At the end of the existing “- module: file_integrity” section - and before the “-module: system” section.
    • Add another “-module: file_integrity” section
    • Include in “paths:” /etc and /home/the_name_of_user_you_created
    • After the paths (and should have the same indentation as paths) add recursive: true

• Restart auditbeat and make sure it is running
• Add some files to /home/your_user
• Make some changes to those files
• Also - edit your /etc/ssh/sshd_config file and change PassowrdAuthentication back to no and save
• View the Auditbeat File Integrity Dashboard - and you should see your activities!

Screenshots: Grab some screenshots of the File Integrity Dashboard showing your changes