6.7 KiB
The Cerberus project is a physical monitoring solution created to watch through the Eyes and alert the admins.
Etymology
[http://en.wikipedia.org/wiki/Cerberus Cerberus] was the guardian of the underworld in the Greek mythos. Similarly, this project guards the Forge2 and the daemons on which the AniNIX runs.
Relevant Files and Software
Cerberus configuration is intensive and manual -- we don't believe automating security installs will be beneficial. The one exception is the VirusScan package.
We provide a Makefile in [https://aninix.net/foundation/Cerberus the Cerberus Foundation package] to install all of these.
Cerberus Monitors
Command Monitors
Example:
[ Filesystem IDS ] type=command command=aide -C | tee /var/log/aide.log interval=86400
Command monitors check for change in command output on a given interval. Each interval, the command will be re-run and checked against the prior output.
Note: This is not cron-like operation -- the command runs to completion and then we wait the interval. If you need more regular execution, use a File monitor instead, and check for changes in the output file. This may generate more false positives.
File Monitors
Example:
[ Network IDS ] type=file file=/var/log/suricata/fast.log
File monitors use C# API's to watch files for changes. On file change, they will send a notification. FYI, VI'ing a file will cause this to completely re-read the file.
Directory Monitors
Example:
[ Physical IDS ] type=directory dir=/home/Eyes/Entry/ filter=*.jpg
Directory monitors watch a directory for changes. The optional filter argument in the configuration allows watching for only specific filetypes.
Example Areas to Watch
Vulnerabilities
- System configuration: The [https://cisofy.com/lynis/ lynis] package offers good monitoring of vulnerabilities, similar to the popular Nessus service.
- Network encryption: The [https://www.ssllabs.com/ssltest/ Qualsys SSL Labs] test suite provides a dashboard for :Category:SSL health. The AniNIX's scorecard is publicly available at [https://www.ssllabs.com/ssltest/analyze.html?d=aninix.net this link].
- PCI compliance: Any site handling payment needs to have PCI compliance, primarily for the [https://www.pcisecuritystandards.org Self-Asessment Questionnaire]. The AniNIX attests itself as a PCI SAQ-A site -- all our payment functions are outsourced to PayPal presently or its Venmo subsidiary. We use the [https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner# Pentest-Tools Website Vulnerability Scanning] as our external scan vendor at the moment as a best practice.
- World search availability: Site domain admins that expect to be found by search engines should maintain a Google Analytics account and watch the [https://search.google.com/search-console Search Console] for issues to remedy on their WebServer.
This may be best run as a manual check on a regular basis, rather than as a monitor. We run this battery quarterly to check for posture degradation.
Network
We recommend and include installation of the [http://suricata.readthedocs.io/en/latest/index.html suricata] package for monitoring network input. Some notes:
- Make sure to get HOME_NET configured correctly.
- Some rulesets need to be dropped.
- tor.rules needs to be removed if you're deploying a DarkNet machine.
- If you are using IRC, comment out emerging-chat.rules in [file:///etc/suricata/suricata.yaml suricata.yaml].
- I've had some problems with tracking ICMP and UDP, sadly, without millions of false positives. I comment out emerging-icmp.rules and decoder-events.rules
- Streaming services like Yggdrasil sometimes cause stream-events.rules to generate false positives.
- Any other local events should be configured by [file:///etc/suricata/rules/local.rules local.rules]
- You will need to edit suricata.yaml and enable the suricata service yourself -- manual intervention is necessary to make sure the HOME_NET subnet masking is accurate for your deployment.
To remedy actual assaults, we recommend a response by iptables. At your network edge, use the following commands to add a new drop chain to the firewall.
iptables -N severe iptables -I INPUT -j severe iptables -I FORWARD -j severe
When this is done, the following command can be used to block offending IPs.
iptables -A severe -s /32 -j DROP
Shadowfeed uses some special iptables syntax -- check [http://www.dd-wrt.com/wiki/index.php/Iptables_command the DD-WRT wiki] for any special considerations.
Also, we install the [https://aur.archlinux.org/packages/oinkmaster oinkmaster] package to pull rules from Suricata. Update root's crontab to reschedule this job.
Filesystem
We recommend using the AIDE package to watch for changes. While the output is complex, we have not found a better system. Please submit a QANs if you have recommendations, but we have not had good luck with OSSEC's stability.
Remote Intrusions
Presently, we include, configure, and enable the [https://wiki.archlinux.org/index.php/Sshguard sshguard] service to prevent intrusions via iptables. The -s and -p flags on the service file for sshguard control intervals -- see "man sshguard" for details.
Physical Intrusion
We recommend adding an eyes user and folders. This user should be SFTP/FTP jailed to their home folder. IP cameras from Geth can be configured to upload images to the folders on detecting motion.
Alternately, Geth units with other sensing equipment can write to files that a File monitor can watch.
Other protections
These can be added with "make bonusinstall".
ccrypt
Any protected data can be encrypted with ccrypt, a replacement of the popular TrueCrypt software.
pass
pass is a Git-aware password storage client using GPG encryption. This is an excellently secure way to store passwords and can integrate directly into the clipboard to never show the password, and it can randomly generate passwords for you. pwgen is an alternative, but you will then need your own password storage system. DO NOT USE TEXT FILES!
Available Clients
There are no clients for Cerberus -- it will notify any necessary address by email through Djinni.Category:Djinni
Equivalents or Competition
Professional tools like Nessus, Tripwire, and Check Point provide vulnerability, filesystem, and network scanning. Alternative packages can be browsed from the [https://wiki.archlinux.org/index.php/List_of_applications/Security ArchLinux security tool index]. }} Category:Internal_Service Category:Security