{"id":22266,"date":"2025-03-12T00:05:00","date_gmt":"2025-03-12T03:05:00","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22266"},"modified":"2025-03-12T00:29:11","modified_gmt":"2025-03-12T03:29:11","slug":"forense-digital-com-linux-tecnicas-praticas-parte-18","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/03\/exploits\/forense-digital-com-linux-tecnicas-praticas-parte-18\/","title":{"rendered":"Forense Digital com Linux \u2013 T\u00e9cnicas Pr\u00e1ticas \u2013 Parte 18"},"content":{"rendered":"\n<p><strong>An\u00e1lise Forense com ELK Stack no Docker: Monitorando altera\u00e7\u00f5es na distro Rocky Linux 9<\/strong><\/p>\n<p style=\"text-align: justify;\">A an\u00e1lise forense digital em sistemas modernos exige ferramentas robustas para coletar, processar e visualizar grandes volumes de dados. O\u00a0<strong>ELK Stack<\/strong>\u00a0(Elasticsearch, Logstash e Kibana) \u00e9 uma solu\u00e7\u00e3o poderosa para monitorar e analisar logs e eventos em tempo real. Neste artigo, vamos explorar como configurar o ELK Stack no Docker em um sistema Rocky Linux 9 e utiliz\u00e1-lo para identificar altera\u00e7\u00f5es suspeitas, como arquivos criados, deletados, modifica\u00e7\u00f5es em diret\u00f3rios e logs adulterados.<\/p>\n<p>\u00a0<\/p>\n<p><strong>1. Introdu\u00e7\u00e3o ao cen\u00e1rio<\/strong><\/p>\n<p style=\"text-align: justify;\">Imagine um servidor Rocky Linux 9 que est\u00e1 apresentando comportamentos an\u00f4malos, como alto uso de recursos, arquivos desconhecidos ou logs inconsistentes. O objetivo \u00e9 utilizar o ELK Stack para:<\/p>\n<ul>\n<li>\n<p>Coletar logs do sistema e eventos de auditoria.<\/p>\n<\/li>\n<li>\n<p>Identificar arquivos criados, modificados ou exclu\u00eddos.<\/p>\n<\/li>\n<li>\n<p>Monitorar altera\u00e7\u00f5es em diret\u00f3rios cr\u00edticos.<\/p>\n<\/li>\n<li>\n<p>Visualizar e correlacionar eventos em tempo real.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>2. Configura\u00e7\u00e3o do Docker no Rocky Linux 9<\/strong><\/p>\n<p>Antes de instalar o ELK Stack, \u00e9 necess\u00e1rio configurar o Docker no Rocky Linux 9.<\/p>\n<p>\u00a0<\/p>\n<p><strong>2.1. Instala\u00e7\u00e3o do Docker<\/strong><\/p>\n<p>Execute os seguintes comandos para instalar o Docker:<\/p>\n<div class=\"md-code-block\">\n<pre><strong><span class=\"token function\">sudo<\/span> dnf config-manager --add-repo<span class=\"token operator\">=<\/span>https:\/\/download.docker.com\/linux\/centos\/docker-ce.repo\n<span class=\"token function\">sudo<\/span> dnf <span class=\"token function\">install<\/span> docker-ce docker-ce-cli containerd.io\n<span class=\"token function\">sudo<\/span> systemctl start <span class=\"token function\">docker<\/span>\n<span class=\"token function\">sudo<\/span> systemctl <span class=\"token builtin class-name\">enable<\/span> <span class=\"token function\">docker<br \/><br \/><\/span><\/strong><\/pre>\n<\/div>\n<p><strong>2.2. Instala\u00e7\u00e3o do Docker Compose<\/strong><\/p>\n<p>O Docker Compose facilita a orquestra\u00e7\u00e3o de cont\u00eaineres. Instale-o com:<\/p>\n<div class=\"md-code-block\">\n<pre><strong><span class=\"token function\">sudo<\/span> dnf <span class=\"token function\">install<\/span> docker-compose-plugin<br \/><br \/><br \/><\/strong><\/pre>\n<\/div>\n<p><strong>3. Configura\u00e7\u00e3o do ELK Stack no Docker<\/strong><\/p>\n<p>O ELK Stack pode ser implantado rapidamente usando um arquivo\u00a0<code>docker-compose.yml<\/code>.<\/p>\n<p>\u00a0<\/p>\n<p><strong>3.1. Criando o Arquivo\u00a0<code>docker-compose.yml<\/code><\/strong><\/p>\n<p>Crie um arquivo chamado\u00a0<code>docker-compose.yml<\/code> com o seguinte conte\u00fado:<\/p>\n<div class=\"md-code-block\">\n<pre><strong><span class=\"token key atrule\">version<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token string\">'3.7'<\/span>\n<span class=\"token key atrule\">services<\/span><span class=\"token punctuation\">:<\/span>\n  <span class=\"token key atrule\">elasticsearch<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token key atrule\">image<\/span><span class=\"token punctuation\">:<\/span> docker.elastic.co\/elasticsearch\/elasticsearch<span class=\"token punctuation\">:<\/span>8.7.0\n    <span class=\"token key atrule\">container_name<\/span><span class=\"token punctuation\">:<\/span> elasticsearch\n    <span class=\"token key atrule\">environment<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> discovery.type=single<span class=\"token punctuation\">-<\/span>node\n      <span class=\"token punctuation\">-<\/span> ES_JAVA_OPTS=<span class=\"token punctuation\">-<\/span>Xms512m <span class=\"token punctuation\">-<\/span>Xmx512m\n    <span class=\"token key atrule\">ports<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> <span class=\"token string\">\"9200:9200\"<\/span>\n    <span class=\"token key atrule\">networks<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> elk\n\n  <span class=\"token key atrule\">logstash<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token key atrule\">image<\/span><span class=\"token punctuation\">:<\/span> docker.elastic.co\/logstash\/logstash<span class=\"token punctuation\">:<\/span>8.7.0\n    <span class=\"token key atrule\">container_name<\/span><span class=\"token punctuation\">:<\/span> logstash\n    <span class=\"token key atrule\">volumes<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> .\/logstash.conf<span class=\"token punctuation\">:<\/span>\/usr\/share\/logstash\/pipeline\/logstash.conf\n    <span class=\"token key atrule\">ports<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> <span class=\"token string\">\"5044:5044\"<\/span>\n    <span class=\"token key atrule\">networks<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> elk\n    <span class=\"token key atrule\">depends_on<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> elasticsearch\n\n  <span class=\"token key atrule\">kibana<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token key atrule\">image<\/span><span class=\"token punctuation\">:<\/span> docker.elastic.co\/kibana\/kibana<span class=\"token punctuation\">:<\/span>8.7.0\n    <span class=\"token key atrule\">container_name<\/span><span class=\"token punctuation\">:<\/span> kibana\n    <span class=\"token key atrule\">ports<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> <span class=\"token string\">\"5601:5601\"<\/span>\n    <span class=\"token key atrule\">networks<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> elk\n    <span class=\"token key atrule\">depends_on<\/span><span class=\"token punctuation\">:<\/span>\n      <span class=\"token punctuation\">-<\/span> elasticsearch\n\n<span class=\"token key atrule\">networks<\/span><span class=\"token punctuation\">:<\/span>\n  <span class=\"token key atrule\">elk<\/span><span class=\"token punctuation\">:<\/span>\n    <span class=\"token key atrule\">driver<\/span><span class=\"token punctuation\">:<\/span> bridge<br \/><br \/><\/strong><\/pre>\n<\/div>\n<p><strong>3.2. Configurando o Logstash<\/strong><\/p>\n<p>Crie um arquivo\u00a0<code>logstash.conf<\/code> para definir o pipeline de coleta de logs:<\/p>\n<p>\u00a0<\/p>\n<div class=\"md-code-block\">\n<pre><strong>input {\n  file {\n    path =&gt; \"\/var\/log\/audit\/audit.log\"\n    start_position =&gt; \"beginning\"\n    sincedb_path =&gt; \"\/dev\/null\"\n  }\n}\n\nfilter {\n  if [path] =~ \"audit\" {\n    grok {\n      match =&gt; { \"message\" =&gt; \"%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} <br \/>%{DATA:program}(?:\\[%{POSINT:pid}\\])?: %{GREEDYDATA:message}\" }\n    }\n  }\n}\n\noutput {\n  elasticsearch {\n    hosts =&gt; [\"elasticsearch:9200\"]\n    index =&gt; \"audit-logs-%{+YYYY.MM.dd}\"\n  }\n}<br \/><br \/><\/strong><\/pre>\n<\/div>\n<p><strong>3.3. Iniciando o ELK Stack<\/strong><\/p>\n<p>Execute o seguinte comando para iniciar os cont\u00eaineres:<\/p>\n<div class=\"md-code-block\">\n<pre><strong><span class=\"token function\">sudo<\/span> <span class=\"token function\">docker-compose<\/span> up <span class=\"token parameter variable\">-d<br \/><br \/><br \/><\/span><\/strong><\/pre>\n<\/div>\n<p><strong>4. Coletando e analisando logs de auditoria<\/strong><\/p>\n<p>O Rocky Linux 9 utiliza o\u00a0<code>auditd<\/code>\u00a0para registrar eventos do sistema. Vamos configurar o\u00a0<code>auditd<\/code>\u00a0para monitorar altera\u00e7\u00f5es em arquivos e diret\u00f3rios.<\/p>\n<p>\u00a0<\/p>\n<p><strong>4.1. Configurando regras de auditoria<\/strong><\/p>\n<p>Adicione regras para monitorar altera\u00e7\u00f5es em diret\u00f3rios cr\u00edticos:<\/p>\n<div class=\"md-code-block\">\n<pre><strong><span class=\"token function\">sudo<\/span> auditctl <span class=\"token parameter variable\">-w<\/span> \/etc <span class=\"token parameter variable\">-p<\/span> wa <span class=\"token parameter variable\">-k<\/span> etc_changes\n<span class=\"token function\">sudo<\/span> auditctl <span class=\"token parameter variable\">-w<\/span> \/var\/log <span class=\"token parameter variable\">-p<\/span> wa <span class=\"token parameter variable\">-k<\/span> log_changes\n<span class=\"token function\">sudo<\/span> auditctl <span class=\"token parameter variable\">-w<\/span> \/home <span class=\"token parameter variable\">-p<\/span> wa <span class=\"token parameter variable\">-k<\/span> home_changes<br \/><br \/><\/strong><\/pre>\n<\/div>\n<ul>\n<li>\n<p><strong><code>-w<\/code>:<\/strong>\u00a0Define o diret\u00f3rio a ser monitorado.<\/p>\n<\/li>\n<li>\n<p><strong><code>-p wa<\/code>:<\/strong>\u00a0Monitora escritas (<code>w<\/code>) e altera\u00e7\u00f5es de atributos (<code>a<\/code>).<\/p>\n<\/li>\n<li>\n<p><strong><code>-k<\/code>:<\/strong>\u00a0Define uma chave para identificar a regra.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>4.2. Visualizando Logs no Kibana<\/strong><\/p>\n<p>Acesse o Kibana em\u00a0<code>http:\/\/&lt;IP_DO_SERVIDOR&gt;:5601<\/code>\u00a0e crie um \u00edndice para os logs de auditoria (<code>audit-logs-*<\/code>). Use o Discover para visualizar e filtrar eventos, como:<\/p>\n<ul>\n<li>\n<p>Arquivos criados ou modificados.<\/p>\n<\/li>\n<li>\n<p>Exclus\u00f5es de arquivos.<\/p>\n<\/li>\n<li>\n<p>Acessos n\u00e3o autorizados.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>5. Identificando altera\u00e7\u00f5es suspeitas<\/strong><\/p>\n<p>Com o ELK Stack configurado, \u00e9 poss\u00edvel identificar padr\u00f5es de atividade maliciosa.<\/p>\n<p>\u00a0<\/p>\n<p><strong>5.1. Arquivos Criados ou Modificados<\/strong><\/p>\n<p>Filtre eventos com a chave\u00a0<code>etc_changes<\/code>\u00a0para identificar altera\u00e7\u00f5es em\u00a0<code>\/etc<\/code>:<\/p>\n<div class=\"md-code-block\">\n<p><strong>event.action: &#8220;created&#8221; OR event.action: &#8220;modified&#8221;<br \/><br \/><\/strong><\/p>\n<\/div>\n<p><strong>5.2. Exclus\u00f5es de arquivos<\/strong><\/p>\n<p>Busque eventos de exclus\u00e3o em\u00a0<code>\/var\/log<\/code>:<\/p>\n<p><strong><span style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">event.action: &#8220;deleted&#8221; AND key: &#8220;log_changes&#8221;<\/span><\/strong><\/p>\n<p>\u00a0<\/p>\n<p><strong>5.3. Acessos n\u00e3o autorizados<\/strong><\/p>\n<p>Identifique tentativas de acesso a diret\u00f3rios restritos:<\/p>\n<div class=\"md-code-block\"><strong>event.action: &#8220;accessed&#8221; AND key: &#8220;home_changes&#8221;<br \/><\/strong><\/div>\n<div>\u00a0<\/div>\n<div>\u00a0<\/div>\n<p><strong>6. Visualizando dados no Kibana<\/strong><\/p>\n<p>O Kibana permite criar dashboards interativos para monitorar atividades em tempo real. Por exemplo:<\/p>\n<ul>\n<li>\n<p>Gr\u00e1ficos de eventos por hora.<\/p>\n<\/li>\n<li>\n<p>Mapa de calor de diret\u00f3rios monitorados.<\/p>\n<\/li>\n<li>\n<p>Alertas para atividades suspeitas.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Conclus\u00e3o<\/strong><\/p>\n<p style=\"text-align: justify;\">O ELK Stack \u00e9 uma solu\u00e7\u00e3o poderosa para an\u00e1lise forense, permitindo a coleta, processamento e visualiza\u00e7\u00e3o de logs em tempo real. Ao configurar o ELK Stack no Docker e integr\u00e1-lo com o\u00a0<code>auditd<\/code>\u00a0do Rocky Linux 9, \u00e9 poss\u00edvel monitorar altera\u00e7\u00f5es suspeitas, como arquivos criados, modificados ou exclu\u00eddos, e identificar atividades maliciosas de forma eficiente.<\/p>\n<p style=\"text-align: justify;\">No entanto, a an\u00e1lise forense exige uma abordagem abrangente: valide sempre os resultados com m\u00faltiplas ferramentas e documente todas as evid\u00eancias para garantir a integridade do processo.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Refer\u00eancias Bibliogr\u00e1ficas<\/strong><\/p>\n<ul>\n<li>\n<p>Elastic. (2023).\u00a0<em>Official Elasticsearch Documentation<\/em>. Dispon\u00edvel em:\u00a0<a href=\"https:\/\/www.elastic.co\/guide\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.elastic.co\/guide<\/a>.<\/p>\n<\/li>\n<li>\n<p>Nikkel, B. (2021).\u00a0<em>Practical Linux Forensics: A Guide for Digital Investigators<\/em>. No Starch Press.<\/p>\n<\/li>\n<li>\n<p style=\"text-align: justify;\">Rocky Linux Documentation. (2023).\u00a0<em>Official Rocky Linux Documentation<\/em>. Dispon\u00edvel em:\u00a0<a href=\"https:\/\/docs.rockylinux.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/docs.rockylinux.org<\/a>.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>Estas obras fornecem bases t\u00e9cnicas aprofundadas sobre o ELK Stack, an\u00e1lise forense e administra\u00e7\u00e3o de sistemas Rocky Linux, complementando os exemplos pr\u00e1ticos deste artigo.<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>An\u00e1lise Forense com ELK Stack no Docker: Monitorando altera\u00e7\u00f5es na distro Rocky Linux 9 A an\u00e1lise forense digital em sistemas modernos exige ferramentas robustas para coletar, processar e visualizar grandes volumes de dados. O\u00a0ELK Stack\u00a0(Elasticsearch, Logstash e Kibana) \u00e9 uma solu\u00e7\u00e3o poderosa para monitorar e analisar logs e eventos em tempo real. Neste artigo, vamos [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":22275,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89,100,21],"tags":[],"class_list":["post-22266","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-basico","category-diversos","category-exploits"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=22266"}],"version-history":[{"count":20,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22266\/revisions"}],"predecessor-version":[{"id":22299,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22266\/revisions\/22299"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/22275"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=22266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=22266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=22266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}