12. • know about errors
• early warning of suspicious activity
• evidence to find what went wrong
• reduce event data with filtering
• aggregate/forward logs from multiple sources
logging
13. • examine system.log & other log files
• Apple System Logging facility (ASL), Syslog APIs
• error or status events
• system processes
logging (pre Sierra)
15. syslog
NOTE: Most system logs have moved
to a new logging system.
See log(1) for more information.
16. • new Unified Logging
• very little goes to system.log file now
• new Console.app and command line tool "log"
• logs stored in a compressed binary format
• different persistent settings configurable
logging (in Sierra)
21. • binary black-/whitelisting system for macOS
• keeps track of binaries in macOS
• event logging (hint: log aggregation)
• local-only rules or sync with server
• developed by Google
https://github.com/ google/santa
Google Santa
22. • client mode MONITOR
• client mode LOCKDOWN (defaults deny)
• WhitelistRegex/BlacklistRegex for paths
• Zentral is a log & configuration server for Santa
Google Santa
25. • ask questions about infrastructure
• query system state with simple SQL syntax
• low-level operating system analytics
• multi platform support (mac, linux, windows)
• developed by Facebook
https://osquery.io
osquery
26. • distributed queries
• file integrity monitoring
• osquery Packs
• import as feeds to Zentral
• Zentral is a log & configuration server for osquery
osquery
29. • log data aggregated from infrastructure
• traditional log collection (modernized aproach)
• shipped to Logstash, ingested by Zentral
• multi platform support (mac, linux, windows)
• Logstash, Beats by Elastic
https://elastic.co
ELK / Logstash + Beats
30. • Logstash ecosystem available
• ElasticSearch is the datastore for events in Zentral
• Kibana is used for event visualization
• full ELK stack is integrated in Zentral
ELK / Logstash + Beats
43. Scenario
• Filebeat log shipping already configured
• configure and use Jamf Webhooks
• create Events Probe w/ filter
• inspect client events & server logs
44.
45.
46.
47. scope of work goes beyond a single host there are tons of engineering and security considerations
Summary
• Jamf Pro connects with Zentral
• Jamf Webhooks push events to Zentral
• Filebeat aggregates logfile data from JSS
• Probe filters scope to specific events
53. Scenario
• remove MDM profile
• osquery Probe for change detection
• automate remediation
• review event history
54.
55.
56.
57.
58. Summary
• osquery detect config change on client
• Probe is triggered back by osquery
• Jamf group change action trigger by Zentral
• Jamf policy scoped for mitigation, re-installs
MDM profile
61. the quality of response can make a difference
• find weak spots
• search for more information
• not only focus on things that are broken
• look also at the big picture
• review change events over time
because incidents happen…
64. Scenario
• User with admin privileges
• Santa in LOCKDOWN mode
• binary execution: defaults deny
65.
66.
67.
68.
69.
70.
71. Summary
• Santa config controlled by Zentral
• Santa blocks unknown binaries by default
• developer tools are usable and behave well
• admin privileges with security belt
79. (free) community support via github
paid support contract on request: dev@zentral.io
• SaaS (cloud based service)
• professional services, custom development
• integration support (on premise)
• Munki manifests management (on request)
support options