Security/Mentorships/MWoS/2014/Linux Audit heka plugin (Go)

From MozillaWiki
< Security‎ | Mentorships‎ | MWoS‎ | 2014
Revision as of 19:50, 8 September 2014 by Arunks (talk | contribs) (→‎2014-08-25)
Jump to navigation Jump to search
WinterOfSecurity logo light horizontal.png

Team

Introduction

We are a team of undergraduate students from Jaypee Institute of Information Technology who are passionate about Open Source and love developing something that can be useful to the community. We all are active member of Open Source Developers Club of our university. We got really excited when we first heard about MWOS, as it’s a great chance for us to work with such an amazing community. Having being contributed to open source organisation we know how it feels to develop software that will be used by the thousands of people and that is what motivates us towards MWOS.

Members

Project

Heka is a Mozilla project for logs routing, analysis, etc. (see http://hekad.readthedocs.org/en/latest/). Linux Audit logs are collecting various system calls and events in order to send them to a C user space program (auditd) over the netlink protocol. A Mozilla C plugin (https://github.com/gdestuynder/audisp-cef and https://github.com/gdestuynder/audisp-json) currently correlate, transforms, and send these events back to our logging architecture.

Description

This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.

This means it will listen for events from the kernel via the Netlink protocol, parse the messages, convert them (to JSON using MozDef's native format), and pass them over to Heka.

Success Criteria

  • Ability to process and forward audit events in pure Go from the kernel to Heka, as they would come out of audisp-json.

Roadmap

  • Get more familiar with Go [August 18 2014]
  • Work on communication using Netlink (receive audit messages from the kernel) [September 6 2014]
  • Port the netlink code as Heka Plugin and start working with lua. [September 17 2014]
  • Store messages in some structure/process them (lua) [September 24 2014]
  • Correlate the kernel messages into a single mozdef-json message [September 31 2014]
  • Send the message back to MozDef (can be done through Heka functions) over HTTPS [October 13 2014]

Updates

2014-08-11

Kick off meeting. (Etherpad Index) : https://etherpad.mozilla.org/YnR9hhqutn

Task for next 2 weeks :

  • Get familiar with GO (first week)
  • explore Netlink protocol, play with it and see how we can use it.


2014-08-25

(Etherpad Index)

Project Code

Task for this week:

  • Write code that uses Netlink protocol.
  • Receive Audit Messages from kernel.

<date>

  • current work
  • blocking points
  • discussion points
  • upcoming work
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Mentorships/MWoS/2014/Linux_Audit_heka_plugin_(Go)&oldid=1013163"