journeys from logging towards manage clients for incident response zentral
journeys from logging towards manage clients for incident response
zentral
@head_min
Henry Stamerjohann consultant, systems engineer Apfelwerk GmbH & Co. KG, Germany
whoami
where are we going• logging • events • tools • zentral ?
• central • centrally • pivotal • polar
[zen-t-ral], adj.zentral
open source tool to gather, process, and monitor events
basics
Client management
Events
Computer Admin
Filter Action
Tools
log controlaudit
aggregate system state, logs, and enforce management
collect records, store event data • system • user • applications
logging
• know about errors • early warning of suspicious activity • evidence to find what went wrong • reduce event data with filtering • aggregate/forward logs from multiple sources
logging
• examine system.log & other log files • Apple System Logging facility (ASL), Syslog APIs • error or status events • system processes
logging (pre Sierra)
tools like tail, grep for keyword search
syslog NOTE: Most system logs have moved to a new logging system. See log(1) for more information.
• new Unified Logging • very little goes to system.log file now • new Console.app and command line tool "log" • logs stored in a compressed binary format • different persistent settings configurable
logging (in Sierra)
log shipping not (yet) implemented
why ?
events are everything, and everything is events
Google Santa
• binary black-/whitelisting system for macOS • keeps track of binaries in macOS • event logging (hint: log aggregation) • local-only rules or sync with server • developed by Google
https://github.com/ google/santa
Google Santa
• client mode MONITOR • client mode LOCKDOWN (defaults deny) • WhitelistRegex/BlacklistRegex for paths • Zentral is a log & configuration server for Santa
Google Santa
full audit trail on binary executions
osquery
• ask questions about infrastructure • query system state with simple SQL syntax • low-level operating system analytics • multi platform support (mac, linux, windows) • developed by Facebook
https://osquery.io
osquery
• distributed queries • file integrity monitoring • osquery Packs
• import as feeds to Zentral • Zentral is a log & configuration server for osquery
osquery
customize audit trail
• log data aggregated from infrastructure • traditional log collection (modernized aproach) • shipped to Logstash, ingested by Zentral • multi platform support (mac, linux, windows) • Logstash, Beats by Elastic
https://elastic.co
ELK / Logstash + Beats
• Logstash ecosystem available • ElasticSearch is the datastore for events in Zentral • Kibana is used for event visualization • full ELK stack is integrated in Zentral
ELK / Logstash + Beats
centralized log events from infrastucture
• robust infrastructure monitoring • traditional server monitoring • uptime, downtime, and performance • Nagios instances push host & service events
to Zentral (event handlers)
Nagios / Icinga
infrastructure state monitoring
Inventory
Inventoryto link events with clients • multiple inventory sources • background sync • push / pull
Push inventory Pull inventory
Munki
osquery
Santa
Zentral
?
ActionsEventsgather, process,
and monitor events
Actions
Events
osquery
Santa
Munkigather, process,
and monitor events
Configuration
osquery
Santa
Munki
osquery
Santa
Inventory
Munki
Munki
Events
osquery Santa
gather, process, and monitor
events
Actions
Zentral is a open hub for your deployed tools
DemoObjective:connect inventory to Zentral
Inventory Events
Scenario• Filebeat log shipping already configured • configure and use Jamf Webhooks • create Events Probe w/ filter • inspect client events & server logs
scope of work goes beyond a single host there are tons of engineering and security considerations
Summary• Jamf Pro connects with Zentral
• Jamf Webhooks push events to Zentral
• Filebeat aggregates logfile data from JSS
• Probe filters scope to specific events
combine endpoint events & server logs
Munki: • Munki events from endpoints • Logfile from MunkiRepo web-server
Jamf Pro: • Logfiles from Jamf distribution points
Variations
Probes
Probes are • filters • configuration • actions
DemoObjective:osquery audit / compliance
Events Configuration Actions
Scenario• remove MDM profile • osquery Probe for change detection • automate remediation • review event history
Summary• osquery detect config change on client
• Probe is triggered back by osquery
• Jamf group change action trigger by Zentral
• Jamf policy scoped for mitigation, re-installs MDM profile
audit trail for management frameworks
Incident response
the quality of response can make a difference
• find weak spots • search for more information • not only focus on things that are broken • look also at the big picture • review change events over time
because incidents happen…
@llauren
To protect ourselves against the incompetent and the malignant…
Be a sysadmin. What a life.
DemoObjective:Control privileged accounts
Events Configuration Actions
Scenario• User with admin privileges • Santa in LOCKDOWN mode • binary execution: defaults deny
Summary• Santa config controlled by Zentral
• Santa blocks unknown binaries by default
• developer tools are usable and behave well
• admin privileges with security belt
control and monitor endpoints
Client Enrollment • Settings • download .pkg
Zentral
combine powerful existing tools to meet your operational requirements
deployment
simple Zentral all-in-one • Amazon AWS (prod. / eval.) • GoogleCloudServices (prod. / eval.) • Vagrant box (evaluation) • VMware .ova (evaluation) • docker-compose (dev. / eval.)
deployment
support options
(free) community support via github paid support contract on request: [email protected]
• SaaS (cloud based service) • professional services, custom development • integration support (on premise) • Munki manifests management (on request)
support options
info & doku
GitHub: https://github.com/zentralopensource Website: https://zentral.io
Tutorials: goo.gl/qsIVkl Ebook: https://leanpub.com/zentral
info & doku
We run 1/2 day workshops at some MacAdmin meetups in Europe during Q1/Q2 2017
talk to us
workshops
thank you !
Q & A