Amazon AWS GuardDuty
What Is Amazon GuardDuty?
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a region that has never been used, or unusual API calls, like a password policy change to reduce password strength.
GuardDuty informs you of the status of your AWS environment by producing security findings that you can view in the GuardDuty console or through Amazon CloudWatch events.
How Amazon GuardDuty Uses Its Data Sources
To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes and processes data from AWS CloudTrail event logs, VPC Flow Logs, and DNS logs. The logs from these data sources are stored in the Amazon S3 buckets. GuardDuty accesses them there using the HTTPS protocol. While in transit from these data sources to GuardDuty, all of the log data is encrypted. GuardDuty extracts various fields from these logs for profiling and anomaly detection, and then discards the logs.
The following sections describe the details of how GuardDuty uses each supported data source.
AWS CloudTrail event logs
AWS CloudTrail provides you with a history of AWS API calls for your account, including API calls made using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. CloudTrail also allows you to identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address that the calls were made from, and when the calls occurred. For more information, see What is AWS CloudTrail?
You can configure CloudTrail trails to log management events and/or data events. Management events provide insight into management operations that are performed on resources in your AWS account. For example, configuring security (IAM AttachRolePolicy API operations), registering devices (Amazon EC2 CreateDefaultVpc API operations), configuring rules for routing data (Amazon EC2 CreateSubnet API operations), or setting up logging (AWS CloudTrail CreateTrail API operations). Data events provide insight into the resource operations performed on or within a resource. For example, Amazon S3 object-level API activity (GetObject, DeleteObject, and PutObject API operations) or AWS Lambda function execution activity (the Invoke API). For more information, see Logging Data and Management Events for Trails.
Currently, GuardDuty only analyzes CloudTrail management events. If you have CloudTrail configured to log data events, there will be a difference between GuardDuty analysis based on CloudTrail data and the logs that CloudTrail itself is delivering.
Another important detail about GuardDuty’s usage of CloudTrail as a data source is the handling and processing of CloudTrail’s global events. For most services, events are recorded in the region where the action occurred. For global services such as AWS IAM, AWS STS, Amazon CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region. For more information, see About Global Service Events.
GuardDuty processes all events that come into a region, including global events that CloudTrail sends to all regions. This allows GuardDuty to maintain user and role profiles in each region and enables it to accurately detect credentials that are being maliciously used across regions.
Important
It is highly recommended that you enable GuardDuty in all supported AWS regions. This allows GuardDuty to generate findings about unauthorized or unusual activity even in regions that you are not actively using. This also allows GuardDuty to monitor AWS CloudTrail events for global AWS services.
If GuardDuty is not enabled in all supported regions, its ability to detect activity that involves global services is reduced.
VPC Flow Logs
VPC Flow Logs capture information about the IP traffic going to and from Amazon EC2 network interfaces in your VPC. For more information, see VPC Flow Logs.
Important
When you enable GuardDuty, it immediately starts analyzing your VPC Flow Logs data. It consumes VPC Flow Log events directly from the VPC Flow Logs feature through an independent and duplicative stream of flow logs. This process does not affect any existing flow log configurations that you might have.
GuardDuty doesn’t manage your flow logs or make them accessible in your account. To manage access and retention of your flow logs, you must configure the VPC Flow Logs feature.
There is no additional charge for GuardDuty access to flow logs. However, enabling flow logs for retention or use in your account falls under existing pricing. For more information, see Working With Flow Logs.
DNS logs
If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.
Pricing for GuardDuty
For information about GuardDuty pricing, see Amazon GuardDuty Pricing.
Accessing GuardDuty
You can work with GuardDuty in any of the following ways:
- GuardDuty Console
- https://console.aws.amazon.com/guardduty
The console is a browser-based interface to access and use GuardDuty.
- AWS SDKs
- AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to GuardDuty. For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
- GuardDuty HTTPS API
- You can access GuardDuty and AWS programmatically by using the GuardDuty HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the Amazon GuardDuty API Reference.
Amazon AWS Inspector
What is Amazon Inspector?
Amazon Inspector is an automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on those instances.
Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of development and IT operations. Amazon Inspector is an API-driven service that uses an optional agent, making it easy to deploy, manage, and automate. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions.
Amazon Inspector consists of a technology that analyzes your network configurations, an Amazon-developed agent that is installed in the operating system of your EC2 instances, and a security assessment service that uses telemetry from the agent and AWS configurations to assess instances for security exposures and vulnerabilities.
Important
AWS does not guarantee that following the provided recommendations will resolve every potential security issue. The findings generated by Amazon Inspector depend on your choice of rules packages included in each assessment template, the presence of non-AWS components in your system, and other factors. You are responsible for the security of applications, processes, and tools that run on AWS services. For more information, see the AWS Shared Responsibility Model for security.
Note
AWS is responsible for protecting the global infrastructure that runs all the services offered in the AWS cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS services. AWS provides several reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations. For more information, see AWS Cloud Compliance.
For more information, see Amazon Inspector Terminology and Concepts.
Benefits of Amazon Inspector
- Amazon Inspector enables you to quickly and easily assess the security of your AWS resources for forensics, troubleshooting, or active auditing purposes at your own pace, either as you progress through the development of your infrastructures or on a regular basis in a stable production environment.
- Amazon Inspector enables you to focus on more complex security problems by offloading the overall security assessment of your infrastructure to this automated service.
- By using Amazon Inspector, you can gain deeper understanding of your AWS resources because Amazon Inspector findings are produced through the analysis of the real activity and configuration data of your AWS resources.
Features of Amazon Inspector
- Configuration Scanning and Activity Monitoring Engine – Amazon Inspector provides an engine that analyzes system and resource configuration and monitors activity to determine what an assessment target looks like, how it behaves, and its dependent components. The combination of this telemetry provides a complete picture of the assessment target and its potential security or compliance issues.
- Built-in Content Library – Amazon Inspector incorporates a built-in library of rules and reports. These include checks against best practices, common compliance standards and vulnerabilities. These checks include detailed recommended steps for resolving potential security issues.
- Automatable via API – Amazon Inspector is fully automatable via an API. This allows organizations to incorporate security testing into the development and design process, including selecting, executing, and reporting the results of those tests.
Amazon Inspector Pricing
Amazon Inspector pricing is based on the number of Amazon EC2 instances included in each assessment and the rules packages used in those assessments. For detailed information about Amazon Inspector pricing, see Amazon Inspector Pricing.
Accessing Amazon Inspector
You can work with the Amazon Inspector service in any of the following ways.
- Amazon Inspector Console
- Sign in to the AWS Management Console and open the Amazon Inspector console at https://console.aws.amazon.com/inspector/.
The console is a browser-based interface to access and use the Amazon Inspector service.
- AWS SDKs
- AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to the Amazon Inspector service. For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
- Amazon Inspector HTTPS API
- You can access Amazon Inspector and AWS programmatically by using the Amazon Inspector HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the Amazon Inspector API Reference.
- AWS Command Line Tools
- You can use the AWS command line tools to issue commands at your system’s command line to perform Amazon Inspector tasks; this can be faster and more convenient than using the console. The command line tools are also useful if you want to build scripts that perform AWS tasks. For more information, see the Amazon Inspector’s AWS Command Line Interface.
Using Docker To Install OpenVAS On CentOS
An interesting post from Gerry Williams at gerrywilliams.net
Description:
Saw a post on r/sysadmin the other day with a walkthrough on using Docker for the first time. Thought I would take some notes:
To Resolve:
1. On the host computer, open up Hyper V and create a new Virtual Machine. Download the Centos7 iso if you don’t already have it.
2. Before starting the virtual machine, we need to edit its properties:
2a. Change UEFI option to UEFI Authority
2b. Change Network Adapter to Enable MAC Address spoofing
2c. Enable Nested Virtualization. On the host machine, open Powershell as admin and type:
|
1
|
Set-Vmprocessor –Vmname Docker –Enablevirtualizationextensions $True
|
3. Install Centos7 minimal on a Virtual Machine.
4. Update it and give it a static IP, and install Docker stuff:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# Update:
sudo yum update
# Set a static ip = https://www.gerrywilliams.net/2016/10/setting-a-static-ip-in-centos/
# Install docker
yum install –y yum-utils device-mapper-persistent-data lvm2
yum-config-manager —add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum-config-manager —enable docker–ce-edge
yum-config-manager —enable docker–ce-test
yum install docker-ce
# Start and enable docker
systemctl start docker
systemctl enable docker
|
5. Now that docker is installed, we can search for images to run. For example, let’s install OpenVAS:
|
1
2
3
4
5
6
7
8
|
# Search docker images:
docker search openvas
# Download an image
docker pull mikesplain/openvas
# See images
docker images
|
6. Now lets start and run it:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
# To run: The command breakdown is: –d is background (detach), –p is ports, —name is just a name, and last is the image file.
docker run –d –p 443:443 –p 9390:9390 —name openvas mikesplain/openvas
# To see running docker images:
docker ps
# To see installation logs
docker logs –ft mikesplain/openvas
# Add firewall exceptions:
firewall-cmd —zone=public —add-port=443/tcp —permanent
firewall-cmd —zone=public —add-port=9390/tcp —permanent
firewall-cmd —reload
# To see all containers created, but some may be offline
docker ps –a
|
7. That is it, if you want to see the OpenVAS web GUI, just go to https://10.10.10.23 (if the Centos VM static IP is 10.10.10.23) in a browser on CentOS. It should bring up OpenVAS login! Creds are ‘admin/admin’
Video:
OpenVAS image for Docker on Ubuntu
A Docker container for OpenVAS on Ubuntu. By default, the latest images includes the OpenVAS Base as well as the NVTs and Certs required to run OpenVAS. We made the decision to move to 9 as the default branch since 8 seems to have many issues in docker. We suggest you use 9 as it is much more stable. Our Openvas9 build was designed to be a smaller image with fewer extras built in. Please note, OpenVAS 8 is no longer being built as OpenVAS 9 is now standard. The image is can still be pulled from the Docker hub, however the source has been removed in this github as is standard with deprecated Docker Images.
| Openvas Version | Tag | Web UI Port |
|---|---|---|
| 9 | latest/9 | 443 |
Usage
Simply run:
# latest (9)
docker run -d -p 443:443 --name openvas mikesplain/openvas
# 9
docker run -d -p 443:443 --name openvas mikesplain/openvas:9
This will grab the container from the docker registry and start it up. Openvas startup can take some time (4-5 minutes while NVT’s are scanned and databases rebuilt), so be patient. Once you see a It seems like your OpenVAS-9 installation is OK. process in the logs, the web ui is good to go. Goto https://<machinename>
Username: admin
Password: admin
To check the status of the process, run:
docker top openvas
In the output, look for the process scanning cert data. It contains a percentage.
To run bash inside the container run:
docker exec -it openvas bash
Specify DNS Hostname
By default, the system only allows connections for the hostname “openvas”. To allow access using a custom DNS name, you must use this command:
docker run -d -p 443:443 -e PUBLIC_HOSTNAME=myopenvas.example.org --name openvas mikesplain/openvas
OpenVAS Manager
To use OpenVAS Manager, add port 9390 to you docker run command:
docker run -d -p 443:443 -p 9390:9390 --name openvas mikesplain/openvas
Volume Support
We now support volumes. Simply mount your data directory to /var/lib/openvas/mgr/:
mkdir data
docker run -d -p 443:443 -v $(pwd)/data:/var/lib/openvas/mgr/ --name openvas mikesplain/openvas
Note, your local directory must exist prior to running.
Set Admin Password
The admin password can be changed by specifying a password at runtime using the env variable OV_PASSWORD:
docker run -d -p 443:443 -e OV_PASSWORD=securepassword41 --name openvas mikesplain/openvas
Update NVTs
Occasionally you’ll need to update NVTs. We update the container about once a week but you can update your container by execing into the container and running a few commands:
docker exec -it openvas bash
## inside container
greenbone-nvt-sync
openvasmd --rebuild --progress
greenbone-certdata-sync
greenbone-scapdata-sync
openvasmd --update --verbose --progress
/etc/init.d/openvas-manager restart
/etc/init.d/openvas-scanner restart
Docker compose (experimental)
For simplicity a docker-compose.yml file is provided, as well as configuration for Nginx as a reverse proxy, with the following features:
- Nginx as a reverse proxy
- Redirect from port 80 (http) to port 433 (https)
- Automatic SSL certificates from Let’s Encrypt
- A cron that updates daily the NVTs
To run:
- Change “example.com” in the following files:
- Change the “OV_PASSWORD” enviromental variable in docker-compose.yml
- Install the latest docker-compose
- run
docker-compose up -d
LDAP Support (experimental)
Openvas do not support full ldap integration but only per-user authentication. A workaround is in place here by syncing ldap admin user(defined by LDAP_ADMIN_FILTER) with openvas admin users everytime the app start up. To use this, just need to specify the required ldap env variables:
docker run -d -p 443:443 -p 9390:9390 --name openvas -e LDAP_HOST=your.ldap.host -e LDAP_BIND_DN=uid=binduid,dc=company,dc=com -e LDAP_BASE_DN=cn=accounts,dc=company,dc=com -e LDAP_AUTH_DN=uid=%s,cn=users,cn=accounts,dc=company,dc=com -e LDAP_ADMIN_FILTER=memberOf=cn=admins,cn=groups,cn=accounts,dc=company,dc=com -e LDAP_PASSWORD=password -e OV_PASSWORD=admin mikesplain/openvas
Refrenced from - https://hub.docker.com/r/mikesplain/openvas/
WP GDPR Compliance WordPress Plug-in Exploited
A WordPress plug-in that’s supposed to help with GDPR compliance contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites.
A WordPress plug-in known as the WP GDPR Compliance plug-in contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites. The bug was discovered by the WordPress.org Plugin Directory Team on November 6 and patched the next day in version 1.4.3.
But despite the fixes, attacks on sites still running versions 1.4.2 and older are still going on, according to security experts from Defiant, a company that runs the Wordfence firewall plugin for WordPress sites.
WP GDPR ensure compliance with Europe’s General Data Protection Regulation by providing tools through which site visitors can permit use of their personal data or request data stored by the website’s database.
More information can be located below:
Video: General Data Protection Regulation (GDRP) – The law that lets Europeans take back their data from big tech companies
Tech companies’ reign over users’ personal data has run largely unchecked in the age of the internet. Europe is seeking to end that with a new law
