Last active
June 21, 2018 16:30
-
-
Save tbridge/00a5954bcfbcc9fd5fea to your computer and use it in GitHub Desktop.
Revisions
-
tbridge revised this gist
Nov 14, 2015 . 1 changed file with 9 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,15 @@ ## Continuous Monitoring in OS X Systems and Security ## **Dan Griggs**, cmdSecurity **Compromise of the device in inevitable**. We lock down devices, we break things for our users, we forbid them certain rights, and yet it still gets broken. **Continuous Monitoring** is necessary if breakage is inevitable. State change and state monitoring is critical. **Define** what is most sensitive about a system, **lock down** access to those components. **Moderately secure** the rest of the system for UX improvements. Watch for the vulnerability's end **result**, not the vulnerability. Create alerts for unusual behavior, and understand what your users **do** with their machines. `sudo bash` shouldn't ever happen, for example. @@ -27,11 +27,11 @@ Monitor *everything*, so you know when users are attempting to `sudo` out of bou STIGs and Guides only protect stuff you *know* about, not what you don't. ### XProtect & Gatekeeper - a Good Start. ### **XProtect** Signature-based, download from a sandboxed application. **Gatekeeper** is certificate based, and eval'd on first run. Validation, but not wholly singularly reliable. Not a comprehensive security solution. @@ -41,7 +41,7 @@ That doesn't mean they're NIST [National Vulnerability Database](https://nvd.nist.gov). 328 CVE Exploits *in the last 3 months*. And now, **System Integrity Protection**. SIP Validates your system and keeps them free from writes from sources that are not Apple. @@ -61,7 +61,6 @@ NIST Continuous Monitoring Guidelines. ### Q&A ### _SIP prevents some patching?_ Security is a double-edged sword. Tradeoff of SIP of non-static/static divide. Valid Concern, but there are ways to mitigate that risk. -
Nov 14, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,85 @@ ## Continuous Monitoring in OS X Systems and Security ## *Dan Griggs*, cmdSecurity *Compromise of the device in inevitable*. We lock down devices, we break things for our users, we forbid them certain rights, and yet it still gets broken. *Continuous Monitoring* is necessary if breakage is inevitable. State change and state monitoring is critical. *Define* what is most sensitive about a system, *lock down* access to those components. *Moderately secure* the rest of the system for UX improvements. Watch for the vulnerability's end *result*, not the vulnerability. Create alerts for unusual behavior, and understand what your users *do* with their machines. `sudo bash` shouldn't ever happen, for example. Check the config file for sshd, look at the system binary command (sshd -T), examine logs centrally for config file change. Anatomy of a security decision. Stop users from running low-level systems config commands. Only allow designated management users to `sudo`. Users can still be admins and install stuff and change a few GUI settings. Monitor *everything*, so you know when users are attempting to `sudo` out of bounds. STIGs and Guides only protect stuff you *know* about, not what you don't. XProtect & Gatekeeper - a Good Start. *XProtect* Signature-based, download from a sandboxed application. *Gatekeeper* is certificate based, and eval'd on first run. Validation, but not wholly singularly reliable. Not a comprehensive security solution. Macs don't get viruses! If you're pedantic, that's probably true. That doesn't mean they're NIST [National Vulnerability Database](https://nvd.nist.gov). 328 CVE Exploits *in the last 3 months*. And now, *System Integrity Protection*. SIP Validates your system and keeps them free from writes from sources that are not Apple. ### Tools You Can Use ### osquery(d) (Facebook) Tripwire OSXcollector (Yelp) chef Casper Suite SNORT santa (Google) SANS courses CIS Hardening Guides DoD STIGs NIST Continuous Monitoring Guidelines. ### Q&A ### _SIP prevents some patching?_ Security is a double-edged sword. Tradeoff of SIP of non-static/static divide. Valid Concern, but there are ways to mitigate that risk. _SIP Deactivate/Patch/Reactivate? Possible way to do system patches._ Maybe. But haven't tried. _How do you approach this for clients?_ What's normal? We use splunk for logging and regex for searching the logs. We take a lighter touch than the STIG to give the user some leeway. Anything we run through terminal, we collect and watch. osquery for launchagents and launchdaemons. Check out the [osquery video from PSU Mac Admins 2015](https://www.youtube.com/watch?v=arOO3UUedeA) _Centralized Logging?_ Splunk, universally. There's some tricks to doing this, but it's doable as SSL all-the-way from client back to central server. ### Next Meeting: December 12th, National Geographic, DC ###