Application Security and Hardening

Geekwise Academy


Week 11 - Kali Linux and Audit Logging


Instructors:

Corey Shuman


Slack Channel:

#application-security

Github Repo:

https://github.com/coreyshuman/GeekwiseApplicationSecurity

Lecture Notes:

http://coreyshuman.github.io/GeekwiseApplicationSecurity/LectureNotes


Table of Contents:


    Kali Linux

    `docker run -t -i kalilinux/kali-linux-docker /bin/bash`

    https://en.wikipedia.org/wiki/Vulnerability_scanner

    https://mylesbraithwaite.com/2017/016/exploiting-wordpress-with-metasploit/

    https://md5hashing.net/hash_type_checker

    https://www.hackthebox.eu/

    https://en.wikipedia.org/wiki/Metasploit_Project

    https://www.kali.org/news/official-kali-linux-docker-images/

    http://www.hackingarticles.in/

    Fuzzing

    https://en.wikipedia.org/wiki/Fuzzing

    Logging and Auditing

    An audit log is a security-relevant chronological set of records that provide evidence of the sequence of activities that have occured at any time. Audit records typically result from activities such as financial transactions, scientific research and health care data transactions, or communications by individual people, systems, accounts, or other entities.

    [OWASP: Error Handling, Auditing and Logging](https://www.owasp.org/index.php/Error_Handling,_Auditing_and_Logging)

    Why are Audit Logs Important

    [Reference](https://www.datamation.com/columns/article.php/3578916/The-Importance-of-Audit-Logs.htm)

    Audit logs provide us with the following:

    • **Accountability** – Log data can identify what accounts are associated with certain events. This information then can be used to highlight where training and/or disciplinary actions are needed.
    • **Reconstruction** – Log data can be reviewed chronologically to determine what was happening both before and during an event. For this to happen, the accuracy and coordination of system clocks are critical. To accurately trace activity, clocks need to be regularly synchronized to a central source to ensure that the date/time stamps are in synch.
    • **Intrusion Detection** – Unusual or unauthorized events can be detected through the review of log data, assuming that the correct data is being logged and reviewed. The definition of what constitutes unusual activity varies, but can include failed login attempts, login attempts outside of designated schedules, locked accounts, port sweeps, network activity levels, memory utilization, key file/data access, etc.
    • **Problem Detection** – In the same way that log data can be used to identify security events, it can be used to identify problems that need to be addressed. For example, investigating causal factors of failed jobs, resource utilization, trending and so on.

    Examples of Audit Logging

    [Github Audit Logging](https://help.github.com/enterprise/2.12/admin/articles/audit-logging/)

    [MySQL Audit Log Format](https://dev.mysql.com/doc/refman/5.7/en/audit-log-file-formats.html)

    In-Class: What Data Should be Captured in an Audit Log?

    The following articles discuss the types of data that should be captured in an audit log. Please read these two articles, then discuss with the group the types of data you would like to see in an audit. Are there any things that you can think of that are missing in these articles? Which items are relevant to our blogging app?

    [Best Practices for Audit Log Review](http://www.computerweekly.com/tip/Best-practices-for-audit-log-review-for-IT-security-investigations)

    [Application Logs - Security Best Practices](https://www.paladion.net/blogs/application-logs-security-best-practices)

    What Data Should NOT Be Logged

    [Reference](https://stackoverflow.com/questions/33671027/logging-security-considerations-and-sensitive-data)

    You want to be careful that sensitive data is not captured in your audit logs, since these logs are generally not encrypted or secured at the appropriate level for sensitive data. For example: passwords, social security numbers, and credit card data should not be entered into an audit log. The audit logging functionality should have special sanitation in place to strip any sensitive data from payloads before storing logs.

    Assignment: Apply Audit Logging to All Events in our Blog

    Use this as a resource: [OWASP: Logging Cheat Sheet](https://www.owasp.org/index.php/Logging_Cheat_Sheet)

    Add logging to our blogging application. You will need to create a log database, determine what data to capture, and implement code that will capture all events that occur through the API. The logs should be detailed enough that you can recreate a series of events just by using the logs.

    Bonus: add sanitization to redact any payloads that contain social security numbers. It should change the number `123-45-6789` to something like `* * * * - * * - * * * * *` or `[SSN Redacted]`

    Once you've implemented audit logging, have a partner perform a series of 6-10 actions on your blog, then use the audit log to see if you can recreate the steps they performed.


    Resources