Hackers of India

Providence

By Swapnil Kumbhar , Akshay Shah on 06 Mar 2020 @ Nullcon
πŸ’» Source Code πŸ”— Link
#incident-management #linux #macos #audit #blueteam
Focus Areas: βš–οΈ Governance, Risk & Compliance , πŸ›‘οΈ Security Operations & Defense , πŸ’» Endpoint Security , 🚨 Incident Response
This Tool Demo covers following tools where the speaker has contributed or authored
PROVIDENCE

Abstract

Incident Response and Analysis today rely on a single source of truth: Logs. But when it comes to Linux/BSD systems or MacOS Endpoints, configuring and getting audit logs is not as straight-forward as it is in Windows. To solve this problem, we created Providence. Providence is a stack of open-source tools authored by us that aims to simplify auditing on these systems. In this presentation, we will explain how auditing at a Kernel level works in Linux and Mac systems by elaborating on Auditing Subsystem in Linux and Endpoint Security Framework in Mac. After elaborating on the usage of the userland executables for these frameworks, we will finally demonstrate how Providence can simplify the usage of these frameworks across platforms and unify data in a single dashboard. The dashboard will be used to analyze this data and detect known malicious scripts and malware on the systems.