journeys from logging towards manage clients for incident response

zentral

@head_min

Henry Stamerjohann consultant, systems engineer Apfelwerk GmbH & Co. KG, Germany

whoami

where are we going• logging • events • tools • zentral ?

• central • centrally • pivotal • polar

[zen-t-ral], adj.zentral

open source tool to gather, process, and monitor events

basics

Client management

Events

Computer Admin

Filter Action

Tools

log controlaudit

aggregate system state, logs, and enforce management

collect records, store event data • system • user • applications

logging

• know about errors • early warning of suspicious activity • evidence to find what went wrong • reduce event data with filtering • aggregate/forward logs from multiple sources

logging

• examine system.log & other log files • Apple System Logging facility (ASL), Syslog APIs • error or status events • system processes

logging (pre Sierra)

tools like tail, grep for keyword search

syslog NOTE: Most system logs have moved to a new logging system. See log(1) for more information.

• new Unified Logging • very little goes to system.log file now • new Console.app and command line tool "log" • logs stored in a compressed binary format • different persistent settings configurable

logging (in Sierra)

log shipping not (yet) implemented

why ?

events are everything, and everything is events

Google Santa

• binary black-/whitelisting system for macOS • keeps track of binaries in macOS • event logging (hint: log aggregation) • local-only rules or sync with server • developed by Google

https://github.com/ google/santa

Google Santa

• client mode MONITOR • client mode LOCKDOWN (defaults deny) • WhitelistRegex/BlacklistRegex for paths • Zentral is a log & configuration server for Santa

Google Santa

full audit trail on binary executions

osquery

• ask questions about infrastructure • query system state with simple SQL syntax • low-level operating system analytics • multi platform support (mac, linux, windows) • developed by Facebook

https://osquery.io

osquery

• distributed queries • file integrity monitoring • osquery Packs

• import as feeds to Zentral • Zentral is a log & configuration server for osquery

osquery

customize audit trail

• log data aggregated from infrastructure • traditional log collection (modernized aproach) • shipped to Logstash, ingested by Zentral • multi platform support (mac, linux, windows) • Logstash, Beats by Elastic

https://elastic.co

ELK / Logstash + Beats

• Logstash ecosystem available • ElasticSearch is the datastore for events in Zentral • Kibana is used for event visualization • full ELK stack is integrated in Zentral

ELK / Logstash + Beats

centralized log events from infrastucture

• robust infrastructure monitoring • traditional server monitoring • uptime, downtime, and performance • Nagios instances push host & service events

to Zentral (event handlers)

Nagios / Icinga

infrastructure state monitoring

Inventory

Inventoryto link events with clients • multiple inventory sources • background sync • push / pull

Push inventory Pull inventory

Munki

osquery

Santa

Zentral

?

ActionsEventsgather, process,

and monitor events

Actions

Email

Events

osquery

Santa

Munkigather, process,

and monitor events

Configuration

osquery

Santa

Munki

osquery

Santa

Inventory

Munki

Munki

Events

osquery Santa

gather, process, and monitor

events

Email

Actions

Zentral is a open hub for your deployed tools

DemoObjective:connect inventory to Zentral

Inventory Events

Scenario• Filebeat log shipping already configured • configure and use Jamf Webhooks • create Events Probe w/ filter • inspect client events & server logs

scope of work goes beyond a single host there are tons of engineering and security considerations

Summary• Jamf Pro connects with Zentral

• Jamf Webhooks push events to Zentral

• Filebeat aggregates logfile data from JSS

• Probe filters scope to specific events

combine endpoint events & server logs

Munki: • Munki events from endpoints • Logfile from MunkiRepo web-server

Jamf Pro: • Logfiles from Jamf distribution points

Variations

Probes

Probes are • filters • configuration • actions

DemoObjective:osquery audit / compliance

Events Configuration Actions

Scenario• remove MDM profile • osquery Probe for change detection • automate remediation • review event history

Summary• osquery detect config change on client

• Probe is triggered back by osquery

• Jamf group change action trigger by Zentral

• Jamf policy scoped for mitigation, re-installs MDM profile

audit trail for management frameworks

Incident response

the quality of response can make a difference

• find weak spots • search for more information • not only focus on things that are broken • look also at the big picture • review change events over time

because incidents happen…

@llauren

To protect ourselves against the incompetent and the malignant…

Be a sysadmin. What a life.

DemoObjective:Control privileged accounts

Events Configuration Actions

Scenario• User with admin privileges • Santa in LOCKDOWN mode • binary execution: defaults deny

Summary• Santa config controlled by Zentral

• Santa blocks unknown binaries by default

• developer tools are usable and behave well

• admin privileges with security belt

control and monitor endpoints

Client Enrollment • Settings • download .pkg

Zentral

combine powerful existing tools to meet your operational requirements

deployment

simple Zentral all-in-one • Amazon AWS (prod. / eval.) • GoogleCloudServices (prod. / eval.) • Vagrant box (evaluation) • VMware .ova (evaluation) • docker-compose (dev. / eval.)

deployment

support options

(free) community support via github paid support contract on request: dev@zentral.io

• SaaS (cloud based service) • professional services, custom development • integration support (on premise) • Munki manifests management (on request)

support options

info & doku

GitHub: https://github.com/zentralopensource Website: https://zentral.io

Tutorials: goo.gl/qsIVkl Ebook: https://leanpub.com/zentral

info & doku

We run 1/2 day workshops at some MacAdmin meetups in Europe during Q1/Q2 2017

talk to us

workshops

thank you !

Q & A