Building a Testbed for go-audit & osquery
After seeing the release of Slack’s new process auditing tool, go-audit, I immediately wanted to test it out to see how it could be used by defenders for detection purposes. While looking at other open source options for doing process auditing on Linux systems, I remembered that osquery also has a process auditing feature built in.
To test them both, I built an on Amazon Ubuntu 14.04 micro-instance and installed both go-audit and osquery side-by-side. I’m pretty familiar with some of osquery’s features, but I had never enabled the process auditing features before and thought this might be a great time to check it out and compare functionality between the two.
I’m not here to recommend one tool over the other, I’m just providing a script that will create an osquery and go-audit testbed for anyone who is interested in trying both of them out.
Installation
To get started, boot up an Amazon/Google/Digital Ocean Ubuntu 14.04 instance, su to root, and put the contents shown below into /root/install-go-audit-osquery.sh. Then chmod +x it and run it.
When the script finishes running, it will drop into a tmux session with three windows open. Window 0 is a regular shell, Window 1 has go-audit ready to go, and Window 2 has osquery with process auditing enabled ready to go.
If you need a quick tmux hotkey primer, here ya go:
Detatch from tmux session - ctrl + b + d
Reattach to tmux session - $ tmux attach
Change Active Tmux Window - ctrl + b + $window_number
Next Window - ctrl + b + n
Previous Window - ctrl + b + pUsage
At this point, literally all you have to do is switch to either the go-audit (ctrl + b + 1) or osquery (ctrl + b + 2) tmux window and press enter.
Osquery logs will populate every 10 seconds (configured in /etc/osquery/osquery.conf) in/var/log/osquery/osqueryd.results.log. A nice way to view them is to pipe them through jq by runing:
$ tail -f /var/log/osquery/osqueryd.results.log | jq .Go-audit logs will populate in /var/log/syslog by default but can also be sent to a user-specified logfile.
Update 12/3: ryan huber reached out and the go-audit repo has been updated to include a script called line-parser that will further parse the JSON sent from go-audit. TL;DR below on taking advantage of that:
sudo su
apt-get install -y node nodejs
cd ~/.go/src/github.com/slackhq/go-audit/
# Update go-audit repo to get the latest changes
git pull# Install nvm
cd /root
git clone https://github.com/creationix/nvm.git
cd nvm
./install.sh
export NVM_DIR="/root/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
cd ~/.go/src/github.com/slackhq/go-audit/contrib/line-parser
nvm install stable
node --version ## Should be v7.2.0
npm install ## Install the streamstash dependencykill $(pgrep go-audit) # Kill any existing go-audit instances
# disable syslog
sed -i '31s/true/false/' ~/.go/src/github.com/slackhq/go-audit/go-audit.yaml
# enable writing to /tmp/go-audit.log
sed -i '56s/false/true/' ~/.go/src/github.com/slackhq/go-audit/go-audit.yaml# Start go-audit (backgrounded) and tail into line-parser
tail -f /tmp/go-audit.log | ~/.go/src/github.com/slackhq/go-audit/contrib/line-parser/line-parser | jq .
Notes
- Running osquery in process auditing mode and go-audit at the same time will cause conflicts.
- This provided configuration is obviously not ideal for performance testing. It utilizes a stock configuration for both of these highly configurable tools and is not optimized in any way.
