102 lines
6.7 KiB
Markdown
102 lines
6.7 KiB
Markdown
The Cerberus project is a physical monitoring solution created to watch through the Eyes and alert the admins.
|
|
|
|
# Etymology
|
|
[http://en.wikipedia.org/wiki/Cerberus Cerberus] was the guardian of the underworld in the Greek mythos. Similarly, this project guards the [[Forge2]] and the daemons on which the AniNIX runs.
|
|
|
|
# Relevant Files and Software
|
|
Cerberus configuration is intensive and manual -- we don't believe automating security installs will be beneficial. The one exception is the [[VirusScan]] package.
|
|
|
|
We provide a Makefile in [https://aninix.net/foundation/Cerberus the Cerberus Foundation package] to install all of these.
|
|
|
|
## Cerberus Monitors
|
|
### Command Monitors
|
|
Example:
|
|
<pre>
|
|
[ Filesystem IDS ]
|
|
type=command
|
|
command=aide -C | tee /var/log/aide.log
|
|
interval=86400
|
|
</pre>
|
|
Command monitors check for change in command output on a given interval. Each interval, the command will be re-run and checked against the prior output.
|
|
|
|
<b>Note:</b> This is not cron-like operation -- the command runs to completion and then we wait the interval. If you need more regular execution, use a File monitor instead, and check for changes in the output file. This may generate more false positives.
|
|
|
|
### File Monitors
|
|
Example:
|
|
<pre>
|
|
[ Network IDS ]
|
|
type=file
|
|
file=/var/log/suricata/fast.log
|
|
</pre>
|
|
|
|
File monitors use C# API's to watch files for changes. On file change, they will send a notification. FYI, VI'ing a file will cause this to completely re-read the file.
|
|
|
|
### Directory Monitors
|
|
Example:
|
|
<pre>
|
|
[ Physical IDS ]
|
|
type=directory
|
|
dir=/home/Eyes/Entry/
|
|
filter=*.jpg
|
|
</pre>
|
|
|
|
Directory monitors watch a directory for changes. The optional filter argument in the configuration allows watching for only specific filetypes.
|
|
|
|
## Example Areas to Watch
|
|
### Vulnerabilities
|
|
* **System configuration:** The [https://cisofy.com/lynis/ lynis] package offers good monitoring of vulnerabilities, similar to the popular Nessus service.
|
|
* **Network encryption:** The [https://www.ssllabs.com/ssltest/ Qualsys SSL Labs] test suite provides a dashboard for [[:Category:SSL|SSL certificate and ciphersuite]] health. The AniNIX's scorecard is publicly available at [https://www.ssllabs.com/ssltest/analyze.html?d=aninix.net this link].
|
|
* **PCI compliance:** Any site handling payment needs to have PCI compliance, primarily for the [https://www.pcisecuritystandards.org Self-Asessment Questionnaire]. The AniNIX attests itself as a PCI SAQ-A site -- all our payment functions are outsourced to PayPal presently or its Venmo subsidiary. We use the [https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner# Pentest-Tools Website Vulnerability Scanning] as our external scan vendor at the moment as a best practice.
|
|
* **World search availability:** Site domain admins that expect to be found by search engines should maintain a Google Analytics account and watch the [https://search.google.com/search-console Search Console] for issues to remedy on their [[WebServer|webserver]].
|
|
|
|
This may be best run as a manual check on a regular basis, rather than as a monitor. We run this battery quarterly to check for posture degradation.
|
|
|
|
### Network
|
|
We recommend and include installation of the [http://suricata.readthedocs.io/en/latest/index.html suricata] package for monitoring network input. Some notes:
|
|
1. Make sure to get HOME_NET configured correctly.
|
|
1. Some rulesets need to be dropped.
|
|
1. tor.rules needs to be removed if you're deploying a [[DarkNet]] machine.
|
|
1. If you are using IRC, comment out emerging-chat.rules in [file:///etc/suricata/suricata.yaml suricata.yaml].
|
|
1. I've had some problems with tracking ICMP and UDP, sadly, without millions of false positives. I comment out emerging-icmp.rules and decoder-events.rules
|
|
1. Streaming services like [[Yggdrasil|AniNIX::Yggdrasil]] sometimes cause stream-events.rules to generate false positives.
|
|
1. Any other local events should be configured by [file:///etc/suricata/rules/local.rules local.rules]
|
|
1. You will need to edit suricata.yaml and enable the suricata service yourself -- manual intervention is necessary to make sure the HOME_NET subnet masking is accurate for your deployment.
|
|
|
|
To remedy actual assaults, we recommend a response by iptables. At your network edge, use the following commands to add a new drop chain to the firewall.
|
|
<pre>
|
|
iptables -N severe
|
|
iptables -I INPUT -j severe
|
|
iptables -I FORWARD -j severe
|
|
</pre>
|
|
|
|
When this is done, the following command can be used to block offending IPs.
|
|
<pre>
|
|
iptables -A severe -s <SOURCE IP>/32 -j DROP
|
|
</pre>
|
|
|
|
[[Shadowfeed|AniNIX::Shadowfeed]] uses some special iptables syntax -- check [http://www.dd-wrt.com/wiki/index.php/Iptables_command the DD-WRT wiki] for any special considerations.
|
|
|
|
Also, we install the [https://aur.archlinux.org/packages/oinkmaster oinkmaster] package to pull rules from Suricata. Update root's crontab to reschedule this job.
|
|
### Filesystem
|
|
We recommend using the AIDE package to watch for changes. While the output is complex, we have not found a better system. Please submit a [[QANs|QAN]] if you have recommendations, but we have not had good luck with OSSEC's stability.
|
|
### Remote Intrusions
|
|
Presently, we include, configure, and enable the [https://wiki.archlinux.org/index.php/Sshguard sshguard] service to prevent intrusions via iptables. The -s and -p flags on the service file for sshguard control intervals -- see "man sshguard" for details.
|
|
### Physical Intrusion
|
|
We recommend adding an eyes user and folders. This user should be SFTP/FTP jailed to their home folder. IP cameras from [[Geth|AniNIX::Geth]] can be configured to upload images to the folders on detecting motion.
|
|
|
|
Alternately, Geth units with other sensing equipment can write to files that a File monitor can watch.
|
|
## Other protections
|
|
These can be added with "make bonusinstall".
|
|
### ccrypt
|
|
Any protected data can be encrypted with ccrypt, a replacement of the popular TrueCrypt software.
|
|
### pass
|
|
pass is a Git-aware password storage client using GPG encryption. This is an excellently secure way to store passwords and can integrate directly into the clipboard to never show the password, and it can randomly generate passwords for you. pwgen is an alternative, but you will then need your own password storage system. <b>DO NOT USE TEXT FILES!</b>
|
|
|
|
# Available Clients
|
|
There are no clients for Cerberus -- it will notify any necessary address by email through [[Djinni|AniNIX::Djinni]].[[Category:Djinni]]
|
|
|
|
# Equivalents or Competition
|
|
Professional tools like Nessus, Tripwire, and Check Point provide vulnerability, filesystem, and network scanning. Alternative packages can be browsed from the [https://wiki.archlinux.org/index.php/List_of_applications/Security ArchLinux security tool index].
|
|
}}
|
|
[[Category:Internal_Service]]
|
|
[[Category:Security]] |