Zentral london mac_ad_uk_2017

360 views

Published on

Zentral is a framework to gather, process, and monitor system events and link them to an inventory.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
360
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Zentral london mac_ad_uk_2017

  1. 1. journeys from logging towards manage clients for incident response zentral
  2. 2. @head_min Henry Stamerjohann consultant, systems engineer Apfelwerk GmbH & Co. KG, Germany whoami
  3. 3. where are we going • logging • events • tools • zentral ?
  4. 4. • central • centrally • pivotal • polar [zen-t-ral], adj.zentral
  5. 5. open source tool to gather, process, and monitor events
  6. 6. basics
  7. 7. Client management Events Computer Admin Filter Action Tools log controlaudit
  8. 8. aggregate system state, logs, and enforce management
  9. 9. collect records, store event data • system • user • applications logging
  10. 10. • know about errors • early warning of suspicious activity • evidence to find what went wrong • reduce event data with filtering • aggregate/forward logs from multiple sources logging
  11. 11. • examine system.log & other log files • Apple System Logging facility (ASL), Syslog APIs • error or status events • system processes logging (pre Sierra)
  12. 12. tools like tail, grep for keyword search
  13. 13. syslog NOTE: Most system logs have moved to a new logging system. See log(1) for more information.
  14. 14. • new Unified Logging • very little goes to system.log file now • new Console.app and command line tool "log" • logs stored in a compressed binary format • different persistent settings configurable logging (in Sierra)
  15. 15. log shipping not (yet) implemented
  16. 16. why ?
  17. 17. events are everything, and everything is events
  18. 18. Google Santa
  19. 19. • binary black-/whitelisting system for macOS • keeps track of binaries in macOS • event logging (hint: log aggregation) • local-only rules or sync with server • developed by Google https://github.com/ google/santa Google Santa
  20. 20. • client mode MONITOR • client mode LOCKDOWN (defaults deny) • WhitelistRegex/BlacklistRegex for paths • Zentral is a log & configuration server for Santa Google Santa
  21. 21. full audit trail on binary executions
  22. 22. osquery
  23. 23. • ask questions about infrastructure • query system state with simple SQL syntax • low-level operating system analytics • multi platform support (mac, linux, windows) • developed by Facebook https://osquery.io osquery
  24. 24. • distributed queries • file integrity monitoring • osquery Packs • import as feeds to Zentral • Zentral is a log & configuration server for osquery osquery
  25. 25. customize audit trail
  26. 26. • log data aggregated from infrastructure • traditional log collection (modernized aproach) • shipped to Logstash, ingested by Zentral • multi platform support (mac, linux, windows) • Logstash, Beats by Elastic https://elastic.co ELK / Logstash + Beats
  27. 27. • Logstash ecosystem available • ElasticSearch is the datastore for events in Zentral • Kibana is used for event visualization • full ELK stack is integrated in Zentral ELK / Logstash + Beats
  28. 28. centralized log events from infrastucture
  29. 29. • robust infrastructure monitoring • traditional server monitoring • uptime, downtime, and performance • Nagios instances push host & service events to Zentral (event handlers) Nagios / Icinga
  30. 30. infrastructure state monitoring
  31. 31. Inventory
  32. 32. Inventory to link events with clients • multiple inventory sources • background sync • push / pull
  33. 33. Push inventory Pull inventory Munki osquery Santa Zentral ?
  34. 34. ActionsEvents gather, process, and monitor events
  35. 35. Actions Email Events osquery Santa Munki gather, process, and monitor events
  36. 36. Configuration osquery Santa Munki osquery Santa Inventory Munki Munki Events osquery Santa gather, process, and monitor events Email Actions
  37. 37. Zentral is a open hub for your deployed tools
  38. 38. Demo Objective: connect inventory to Zentral Inventory Events
  39. 39. Scenario • Filebeat log shipping already configured • configure and use Jamf Webhooks • create Events Probe w/ filter • inspect client events & server logs
  40. 40. scope of work goes beyond a single host there are tons of engineering and security considerations Summary • Jamf Pro connects with Zentral • Jamf Webhooks push events to Zentral • Filebeat aggregates logfile data from JSS • Probe filters scope to specific events
  41. 41. combine endpoint events & server logs
  42. 42. Munki: • Munki events from endpoints • Logfile from MunkiRepo web-server Jamf Pro: • Logfiles from Jamf distribution points Variations
  43. 43. Probes
  44. 44. Probes are • filters • configuration • actions
  45. 45. Demo Objective: osquery audit / compliance Events Configuration Actions
  46. 46. Scenario • remove MDM profile • osquery Probe for change detection • automate remediation • review event history
  47. 47. Summary • osquery detect config change on client • Probe is triggered back by osquery • Jamf group change action trigger by Zentral • Jamf policy scoped for mitigation, re-installs MDM profile
  48. 48. audit trail for management frameworks
  49. 49. Incident response
  50. 50. the quality of response can make a difference • find weak spots • search for more information • not only focus on things that are broken • look also at the big picture • review change events over time because incidents happen…
  51. 51. @llauren To protect ourselves against the incompetent and the malignant… Be a sysadmin. What a life.
  52. 52. Demo Objective: Control privileged accounts Events Configuration Actions
  53. 53. Scenario • User with admin privileges • Santa in LOCKDOWN mode • binary execution: defaults deny
  54. 54. Summary • Santa config controlled by Zentral • Santa blocks unknown binaries by default • developer tools are usable and behave well • admin privileges with security belt
  55. 55. control and monitor endpoints
  56. 56. Client Enrollment • Settings • download .pkg
  57. 57. Zentral
  58. 58. combine powerful existing tools to meet your operational requirements
  59. 59. deployment
  60. 60. simple Zentral all-in-one • Amazon AWS (prod. / eval.) • GoogleCloudServices (prod. / eval.) • Vagrant box (evaluation) • VMware .ova (evaluation) • docker-compose (dev. / eval.) deployment
  61. 61. support options
  62. 62. (free) community support via github paid support contract on request: dev@zentral.io • SaaS (cloud based service) • professional services, custom development • integration support (on premise) • Munki manifests management (on request) support options
  63. 63. info & doku
  64. 64. GitHub: https://github.com/zentralopensource Website: https://zentral.io Tutorials: goo.gl/qsIVkl Ebook: https://leanpub.com/zentral info & doku
  65. 65. We run 1/2 day workshops at some MacAdmin meetups in Europe during Q1/Q2 2017 talk to us workshops
  66. 66. thank you !
  67. 67. Q & A

×