Forcepoint Threat Protection for Linux

Memory forensics - Extracting IPs, ports from memory - Garbage dumps - Process-related data structures - Non-default kernel modules

Linux requirements for deployment - Threat protection for Linux - Package formats (RPM, DEB) - SSH with client certificate - Sudo and forced commands - Kernel module management - System log and removal rate - Restricting - Task setting with crontab

Product architecture - Software components and interactions - Kernel module pmad.ko - Reference databases - SIEM and Splunk

Reporting and Splunk - Configuration management tools - Ansible - Cfengine, Salt - Puppet - Chef

Endpoint configurations - Analyzing the full dump - Creating partial queries - Dealing with "blurry" memory images

Command line tools explained - secondlook-cli - secondlook-scan - secondlook-gui

Alert filtering - Regex for alert descriptions

SIEM and Splunk - Collecting data; SIEM and syslogd - Splunk data sources - Splunk queries and dashboards - Integration with GreyLog, ArcSight, QRadar, Datalog, Sumologic

Setting up reference database - Configuring DB, users and permissions

Adding new software to the reference database - Overview of deb, rpm packages - ELF format - Sizing and caching considerations - Secondlook_scan.cfg and URL

Adding new kernel images - Inspecting ZRK files - Creating new reference ZRKs - Adding ZRKs to local reference

Filter warnings - Regex patterns with warning messages - Typical warning examples

Testing - Unrecognized user processes- Non-ELF executable mappings - Experiments with modified longring - Software - Additional drivers - JIT compilation

Promiscuous NICs, pre-linking - VMware tools as false positives - NIC configuration causing warnings - Pre-linking (CentOS and other distributions)

Unrecognized kernel modules - Credential reuse for kernel tasks - Hook kernel data structures

Rootkit discussion - "Average coder" rootkit - Phalanx 2" rootkit - "Suterusu" rootkit