zentral london mac_ad_uk_2017
TRANSCRIPT
![Page 1: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/1.jpg)
journeys from logging towards manage clients for incident response
zentral
![Page 2: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/2.jpg)
@head_min
Henry Stamerjohann consultant, systems engineer Apfelwerk GmbH & Co. KG, Germany
whoami
![Page 3: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/3.jpg)
where are we going• logging • events • tools • zentral ?
![Page 4: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/4.jpg)
• central • centrally • pivotal • polar
[zen-t-ral], adj.zentral
![Page 5: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/5.jpg)
![Page 6: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/6.jpg)
![Page 7: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/7.jpg)
open source tool to gather, process, and monitor events
![Page 8: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/8.jpg)
basics
![Page 9: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/9.jpg)
Client management
Events
Computer Admin
Filter Action
Tools
log controlaudit
![Page 10: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/10.jpg)
aggregate system state, logs, and enforce management
![Page 11: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/11.jpg)
collect records, store event data • system • user • applications
logging
![Page 12: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/12.jpg)
• know about errors • early warning of suspicious activity • evidence to find what went wrong • reduce event data with filtering • aggregate/forward logs from multiple sources
logging
![Page 13: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/13.jpg)
• examine system.log & other log files • Apple System Logging facility (ASL), Syslog APIs • error or status events • system processes
logging (pre Sierra)
![Page 14: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/14.jpg)
tools like tail, grep for keyword search
![Page 15: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/15.jpg)
syslog NOTE: Most system logs have moved to a new logging system. See log(1) for more information.
![Page 16: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/16.jpg)
• new Unified Logging • very little goes to system.log file now • new Console.app and command line tool "log" • logs stored in a compressed binary format • different persistent settings configurable
logging (in Sierra)
![Page 17: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/17.jpg)
log shipping not (yet) implemented
![Page 18: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/18.jpg)
why ?
![Page 19: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/19.jpg)
events are everything, and everything is events
![Page 20: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/20.jpg)
Google Santa
![Page 21: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/21.jpg)
• binary black-/whitelisting system for macOS • keeps track of binaries in macOS • event logging (hint: log aggregation) • local-only rules or sync with server • developed by Google
https://github.com/ google/santa
Google Santa
![Page 22: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/22.jpg)
• client mode MONITOR • client mode LOCKDOWN (defaults deny) • WhitelistRegex/BlacklistRegex for paths • Zentral is a log & configuration server for Santa
Google Santa
![Page 23: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/23.jpg)
full audit trail on binary executions
![Page 24: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/24.jpg)
osquery
![Page 25: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/25.jpg)
• ask questions about infrastructure • query system state with simple SQL syntax • low-level operating system analytics • multi platform support (mac, linux, windows) • developed by Facebook
https://osquery.io
osquery
![Page 26: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/26.jpg)
• distributed queries • file integrity monitoring • osquery Packs
• import as feeds to Zentral • Zentral is a log & configuration server for osquery
osquery
![Page 27: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/27.jpg)
customize audit trail
![Page 28: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/28.jpg)
![Page 29: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/29.jpg)
• log data aggregated from infrastructure • traditional log collection (modernized aproach) • shipped to Logstash, ingested by Zentral • multi platform support (mac, linux, windows) • Logstash, Beats by Elastic
https://elastic.co
ELK / Logstash + Beats
![Page 30: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/30.jpg)
• Logstash ecosystem available • ElasticSearch is the datastore for events in Zentral • Kibana is used for event visualization • full ELK stack is integrated in Zentral
ELK / Logstash + Beats
![Page 31: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/31.jpg)
centralized log events from infrastucture
![Page 32: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/32.jpg)
![Page 33: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/33.jpg)
• robust infrastructure monitoring • traditional server monitoring • uptime, downtime, and performance • Nagios instances push host & service events
to Zentral (event handlers)
Nagios / Icinga
![Page 34: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/34.jpg)
infrastructure state monitoring
![Page 35: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/35.jpg)
Inventory
![Page 36: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/36.jpg)
Inventoryto link events with clients • multiple inventory sources • background sync • push / pull
![Page 37: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/37.jpg)
Push inventory Pull inventory
Munki
osquery
Santa
Zentral
?
![Page 38: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/38.jpg)
ActionsEventsgather, process,
and monitor events
![Page 39: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/39.jpg)
Actions
Events
osquery
Santa
Munkigather, process,
and monitor events
![Page 40: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/40.jpg)
Configuration
osquery
Santa
Munki
osquery
Santa
Inventory
Munki
Munki
Events
osquery Santa
gather, process, and monitor
events
Actions
![Page 41: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/41.jpg)
Zentral is a open hub for your deployed tools
![Page 42: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/42.jpg)
DemoObjective:connect inventory to Zentral
Inventory Events
![Page 43: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/43.jpg)
Scenario• Filebeat log shipping already configured • configure and use Jamf Webhooks • create Events Probe w/ filter • inspect client events & server logs
![Page 44: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/44.jpg)
![Page 45: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/45.jpg)
![Page 46: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/46.jpg)
![Page 47: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/47.jpg)
scope of work goes beyond a single host there are tons of engineering and security considerations
Summary• Jamf Pro connects with Zentral
• Jamf Webhooks push events to Zentral
• Filebeat aggregates logfile data from JSS
• Probe filters scope to specific events
![Page 48: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/48.jpg)
combine endpoint events & server logs
![Page 49: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/49.jpg)
Munki: • Munki events from endpoints • Logfile from MunkiRepo web-server
Jamf Pro: • Logfiles from Jamf distribution points
Variations
![Page 50: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/50.jpg)
Probes
![Page 51: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/51.jpg)
Probes are • filters • configuration • actions
![Page 52: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/52.jpg)
DemoObjective:osquery audit / compliance
Events Configuration Actions
![Page 53: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/53.jpg)
Scenario• remove MDM profile • osquery Probe for change detection • automate remediation • review event history
![Page 54: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/54.jpg)
![Page 55: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/55.jpg)
![Page 56: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/56.jpg)
![Page 57: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/57.jpg)
![Page 58: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/58.jpg)
Summary• osquery detect config change on client
• Probe is triggered back by osquery
• Jamf group change action trigger by Zentral
• Jamf policy scoped for mitigation, re-installs MDM profile
![Page 59: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/59.jpg)
audit trail for management frameworks
![Page 60: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/60.jpg)
Incident response
![Page 61: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/61.jpg)
the quality of response can make a difference
• find weak spots • search for more information • not only focus on things that are broken • look also at the big picture • review change events over time
because incidents happen…
![Page 62: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/62.jpg)
@llauren
To protect ourselves against the incompetent and the malignant…
Be a sysadmin. What a life.
![Page 63: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/63.jpg)
DemoObjective:Control privileged accounts
Events Configuration Actions
![Page 64: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/64.jpg)
Scenario• User with admin privileges • Santa in LOCKDOWN mode • binary execution: defaults deny
![Page 65: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/65.jpg)
![Page 66: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/66.jpg)
![Page 67: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/67.jpg)
![Page 68: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/68.jpg)
![Page 69: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/69.jpg)
![Page 70: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/70.jpg)
![Page 71: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/71.jpg)
Summary• Santa config controlled by Zentral
• Santa blocks unknown binaries by default
• developer tools are usable and behave well
• admin privileges with security belt
![Page 72: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/72.jpg)
control and monitor endpoints
![Page 73: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/73.jpg)
Client Enrollment • Settings • download .pkg
![Page 74: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/74.jpg)
Zentral
![Page 75: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/75.jpg)
combine powerful existing tools to meet your operational requirements
![Page 76: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/76.jpg)
deployment
![Page 77: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/77.jpg)
simple Zentral all-in-one • Amazon AWS (prod. / eval.) • GoogleCloudServices (prod. / eval.) • Vagrant box (evaluation) • VMware .ova (evaluation) • docker-compose (dev. / eval.)
deployment
![Page 78: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/78.jpg)
support options
![Page 79: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/79.jpg)
(free) community support via github paid support contract on request: [email protected]
• SaaS (cloud based service) • professional services, custom development • integration support (on premise) • Munki manifests management (on request)
support options
![Page 80: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/80.jpg)
info & doku
![Page 81: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/81.jpg)
GitHub: https://github.com/zentralopensource Website: https://zentral.io
Tutorials: goo.gl/qsIVkl Ebook: https://leanpub.com/zentral
info & doku
![Page 82: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/82.jpg)
We run 1/2 day workshops at some MacAdmin meetups in Europe during Q1/Q2 2017
talk to us
workshops
![Page 83: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/83.jpg)
thank you !
![Page 84: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/84.jpg)
Q & A
![Page 85: Zentral london mac_ad_uk_2017](https://reader031.vdocument.in/reader031/viewer/2022022411/58ec06dc1a28abae128b475f/html5/thumbnails/85.jpg)