In my continued pursuit of strengthening the security infrastructure at my own startup – ALight Technology And Services Limited, I have written few blog articles in the past regarding securing web applications, importance of audit, logs – part of the NIST Cyber Security Framework. This blog post talks about some things I have done on AWS infrastructure. While running a company with no other employees and while being the target of state-sponsored / state-trained hackers, I ended up learning a lot and now I have dabbled in pretty much everything in computing (expert at development, learning system administration, infosec etc… as part of running my own startup).
- I created a base Ubuntu image by enabling ufw, installed auditd, installed cloudwatch log agent, closing unnecessary ports, some custom alerters as soon as a SSH login happens etc… I call this AMI the golden AMI. I also update the golden AMI every few months. The advantage of using a golden AMI like this is any EC2 instance you would launch would have these in place.
- I am using ELK stack along with Cloudwatch logs and S3 for logs. ELK stack for log analysis i.e logs are stored for a shorter period, Cloudwatch logs for various other reasons, (can’t disclose) and finally S3 glacier for longer term retention.
- With the above mentioned setup, if an incident happens, all the necessary logs would in place for analysis.
I wanted to give a quick introduction to Cloudwatch log agent, AuditD as part of this blog post.
Cloudwatch log agent:
A small piece of software that ingests logs into AWS Cloudwatch. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
The setup needs IAM role with proper permissions, more details are at the above mentioned link.
On Ubuntu the logs config is stored at:
/var/awslogs/etc/awslogs.conf
The configuration file is very simple and straightforward.
I would suggest ingesting all the ubuntu system logs along with auditd logs and create a golden AMI.
AuditD:
This is a nice audit tool for Linux capable of auditing a lot of things.
Installation:
sudo apt update
sudo apt-get install auditd
sudo systemctl enable auditd
sudo systemctl start auditd
The configuration and rules are stored at /etc/audit. The config file is auditd.conf, rules should be in audit.rules.
The configuration file is self-explanatory.
There are no default rules.
But thankfully there is a github repo with several rule templates for meeting several compliance standards such as PCI. The PCI rules are at: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules
Several rule files are located in the same repository:
https://github.com/linux-audit/audit-userspace/tree/master/rules
Stay safe & secure! Stay away from hac#?ers / ransom thieves.
Happy computing!
–
Mr. Kanti Kalyan Arumilli
B.Tech, M.B.A
Founder & CEO, Lead Full-Stack .Net developer
ALight Technology And Services Limited
Phone / SMS / WhatsApp on the following 3 numbers:
+91-789-362-6688, +1-480-347-6849, +44-07718-273-964
+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)
kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.