Abstract

Incident Response and Analysis today rely on a single source of truth: Logs. But when it comes to Linux/BSD systems or MacOS Endpoints, configuring and getting audit logs is not as straight-forward as it is in Windows. To solve this problem, we created Providence. Providence is a stack of open-source tools authored by us that aims to simplify auditing on these systems. In this presentation, we will explain how auditing at a Kernel level works in Linux and Mac systems by elaborating on Auditing Subsystem in Linux and Endpoint Security Framework in Mac. After elaborating on the usage of the userland executables for these frameworks, we will finally demonstrate how Providence can simplify the usage of these frameworks across platforms and unify data in a single dashboard. The dashboard will be used to analyze this data and detect known malicious scripts and malware on the systems.