Open source is a wonderful thing. A significant chunk of today’s enterprise IT and personal technology depends on open source software. But even while open source software is widely used in networking, operating systems, and virtualization, enterprise security platforms still tend to be proprietary and vendor-locked. Fortunately, that’s changing.
If you haven’t been looking to open source to help address your security needs, it’s a shame—you’re missing out on a growing number of freely available tools for protecting your networks, hosts, and data. The best part is, many of these tools come from active projects backed by well-known sources you can trust, such as leading security companies and major cloud operators. And many have been tested in the biggest and most challenging environments you can imagine.
Open source has always been a rich source of tools for security professionals—Metasploit, the open source penetration testing framework, is perhaps the best-known—but information security is not restricted to the realm of researchers, investigators, and analysts, and neither are the five open source security tools we survey below. IT administrators and software developers have a key role to play, and with these five tools, they can make a difference.
Commit Watcher: Check code repos for secrets
Secrets don’t belong in open source repositories, but that doesn’t stop absentminded developers from storing them there. We’ve all read the reports of people accidentally exposing private Amazon Web Services keys, hard-coded passwords, or API tokens by uploading them to GitHub or other code repositories.
To combat this, SourceClear came up with Commit Watcher, a free open source tool that looks for potentially hazardous commits in public and private Git repositories. Developers and administrators alike can use Commit Watcher to monitor their own projects for accidental credential disclosures and public projects they use regularly to find out if there are any issues in those projects. For example, when a public project is updated with a commit such as “fixes XSS attack,” then Commit Watcher will notify the developer who works with it to grab a newer version of the dependency.
Commit Watcher periodically polls projects for new commits and looks for matches against any of the keywords and phrases defined in the project’s rules. The rules include regular expressions for filenames, code patterns, comments, and author names. Commit Watcher comes with dozens of preconfigured rules that look for AWS credentials, Salesforce credentials, SSH keys, API tokens, and database dump files.
Jak: Encrypt your secrets in Git
It’s Developer 101 to keep secrets out of your code. Instead, you should keep them in a configuration file, then add the config file to the .gitignore list to prevent it from being committed to the code repository. Keys to connect to items like payment systems, emailers, and virtual machines, which have to be manually placed directly onto application servers, must be managed completely separately from the source code. This presents challenges when those keys need to be shared.
It’s a common enough scenario: One member of the team downloads the source code from the code repository and receives the keys via an out-of-band method, which might be as fast and loose as a plaintext email, chat message, USB stick, or sticky note. What if there was a way to keep these secrets with the source code in the repository so that they’re easy to share, but encrypted so that they were not exposed?
The Python project Jak tackles this problem by letting developers commit encrypted versions of sensitive files into Git. Instead of .gitignore, developers list sensitive files in a jakfile, and when it’s time to commit, Jak ensures that only the encrypted versions of the files wind up in the repository. Jak takes care of encrypting and decrypting the file as necessary, and it automatically generates and updates the encryption keys. Everything is handled on the command line, so developers don’t have to change windows when it’s time to encrypt a file before committing or decrypt a file after downloading it.
It may be too early for Jak to be used in production, but it’s a tool developers should become familiar with. The fact that security startup Dispel uses the tool internally and is the steward of the project may help ease concerns about the tool’s potential longevity.
Yara: Use pattern-matching to find trouble
Malware researchers like to use Yara, the open source project from VirusTotal’s Víctor Manuel Álvarez, to identify and classify malicious file samples. However, the “pattern-matching Swiss Army knife” can do much more than straight malware classification. It can also be useful as part of incident response and forensics investigations. You create rules—composed of text strings, hexadecimal values, or regular expressions—and Yara crawls through the suspicious directories and files looking for any matches. While scanning files is the most common usage, Yara can also use the rules to examine running processes.
By analyzing files with Yara, researchers from Kaspersky Lab and AlienVault were able to link the attackers who breached Sony to other attacks in Asia last year.
A common attack technique is to replace system files with imposters to establish a backdoor into the machine. One way to keep an eye on whether or not the system files are intact is to look at MD5 and SHA-1 hashes. Another is to set up Yara rules for multiple strings or values in the system files and regularly scan those files. If the scan fails to find matches, you know the files have been modified—time to investigate. If an attacker has been uploading copies of command shells to unknown locations, Yara can look for those copies.
In addition to the preconfigured rules and the rules you create, Yara can use the virus signature files of open source antivirus tool ClamAV, as well as the rule sets available from the community-maintained YaraRules repository. The repository has predefined rules for detecting known packers or flagging malicious processes, for example. It’s also possible to tap the VirusTotal private API to set up triggers when a file scanned in the environment matches a file that has been uploaded to VirusTotal’s malware database. Yara doesn’t have to be run from the command-line interface; it has a Python library to integrate it into Python scripts.
Able to spot unwelcome changes to files or detect tell-tale patterns (Social Security numbers, administrative credentials, and so on) in unwelcome places (like outgoing email attachments), Yara is a powerful tool with a seemingly endless number of uses. There are limits to signature-based detection, so it would be a bad idea to rely on Yara exclusively to find malicious files. But considering its flexibility, missing out on this tool would not be a good idea, either.
ProcFilter: Use pattern-matching to stop trouble
Yara is supremely helpful to forensics investigators and incident responders who want to analyze files after an infection. However, leveraging Yara to actively defend against known threats can be a challenge. ProcFilter, an open source project from GoDaddy, addresses this challenge for Windows environments. ProcFilter allows you to apply Yara rules to running processes, as well as block or log executables (and quarantine associated files) based on matches.
ProcFilter runs as a Windows service and integrates with Microsoft’s Event Tracing for Windows (ETW) API, so it can log its activities directly into Windows Event Log. The integration also means that ProcFilter can create rules with block, log, or quarantine values and take the appropriate actions when there is a match. ProcFilter can be configured to scan file and memory whenever processes are created or terminated, or whenever executable images are loaded.
ProcFilter isn’t designed to replace your antimalware solution, but to help you zero in on a specific, known threat—such as a phishing attack that has hit a peer organization. If the team there shares the Yara signature for the attack to help others avoid the same fate, you can use ProcFilter to find matches in incoming email messages and block those messages from being delivered. Or if you want to keep an eye out for booby-trapped Word, Excel, PowerPoint, and Adobe files, ProcFilter can look for and log all subprocesses spawned by those applications.
OSquery: Query the endpoint for system state
Imagine if locating malicious processes, rogue plugins, or software vulnerabilities in your Windows, MacOS, and Linux endpoints were a simple matter of writing a SQL query. That’s the idea behind OSquery, an open source tool from Facebook engineers that collects operating system information such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, and file hashes into a relational database. If you can write a SQL query, that’s all you need to get answers to security questions—no complex code required.
For example, the following query would find all processes listening on network ports:
SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;
This query would find anomalies in the Address Resolution Protocol (ARP) cache, which contains information about IP addresses and their resolved Ethernet physical addresses:
SELECT address, mac, COUNT (mac)AS mac_count FROM arp_cache GROUP BY mac HAVING COUNT(mac)>1;
That’s much simpler than coding it in Python. OSquery tackles an important problem in a straightforward and elegant way (earning our Technology of the Year award). The components include OSqueryi, an interactive shell that can be used with PowerShell, and OSqueryd, a daemon that performs low-level host monitoring and allows you to schedule queries.
There are many reasons why IT administrators may not be working with open source security tools, including concerns about maturity and support. More critical is the question of trust. Enterprises may be reluctant to rely on products from developers they know nothing about to protect their crown jewels.
The open source security projects on this list are backed by trusted names, and they should definitely be on your radar. Each of these tools addresses a specific security problem and leaves a limited footprint. It doesn’t hurt to give them a try. They could make a big difference in how you work—and the security of your environment.