SECURITY-BOT This is the code that was demonstrated at the DevConf 2015 conference Speech is here: https://www.youtube.com/watch?v=PUpKwtvHXwg&t=15s The idea was to AIML to chat with the system to discover any security issues. BUILDING ======== To build the project run: /usr/bin/qmake-qt4 -o Makefile security-bot.pro Then make and finally as root ./security-bot You can then ask questions and it will answer. When you are done, type quit. BACKGROUND ========== The goal is to allow natural language querying of a system's security status. It will encompass the following topics: Security Updates (yum --security) SE Linux enforcing (sestatus) System is well configured (oscap) System integrity checked (aide) Open ports with risky programs (netcap) Firewall status Audit status Users with privileges logged in (w kind of) Anomalous events in recent activity (aureport, realtime events) Suspicious user behavior (realtime audit events) The ultimate question would be, "Is this system secure?" To answer this question, it will have to consider each category. This can be modeled after an attack tree. THOUGHTS ======== Can external sensors set state in the aiml instance? Maybe a private conversation? Make a state diagram of the work it can do. These can map to predicates. Use tree diagrams to study sentence construction Might also be able to have a key word such as "thinking" or "working.." where the output program makes note and sets a timer to provoke another chance to talk. NEEDS ===== * killall needs session awareness * need something like w except with roles and privs * Audit rules that classify use of programs for: Reconnaissance - ls, ps, lsof, w, who, ?cp /etc/passwd, Pre-exploit - wget, curl, links, elinks, rsync, scp, chmod +x Exploitation - setarch, crashed app, using ld.so Privilege escalation - su, sudo, shadow, passwd Gaining IP - shadow, home dirs, shared dirs, keys Become permanent - write into boot, write module, load module, edit module list Covering tracks - history files, logs, utmp, btmp, Spreading - ssh, tcpdump, GOALS ===== SElinux ------- Is it enabled is it causing problems if problems, what is causing it users ----- Are people logged in Do any have privs Are they doing risky behavior? programs -------- Do we need to apply security updates Do we have risky programs listening aide ---- Have any system binaries changed config? Is system config files still the same? scap ---- Have we scanned lately do a scan Do we pass Can we fix it audit ---- is audit enabled do we have rules loaded run basic search run basic report run search + report analyze events - classifier output flow or state diagram ===================== issue -> problem -> action FUTURE IDEAS ============ 1) Topic restricts the set of questions severly. Create a variable, subject, to serve a more flexible purpose. It is something the user may ask a check for. 2) Also create a variable, problem, specifically for the purpose of allowing the user to request a fix. When a check runs, it may set a problem or clear problem. Calling the fix clears the problem. 3) tell me about security? Then say what is known, set subject, then pause, then ask if you it checked. If yes, then use subject to direct to the correct check.