Continuous Monitoring in OS X Systems and Security
Dan Griggs, cmdSecurity
Compromise of the device in inevitable. We lock down devices, we break things for our users, we forbid them certain rights, and yet it still gets broken.
Continuous Monitoring is necessary if breakage is inevitable. State change and state monitoring is critical. Define what is most sensitive about a system, lock down access to those components. Moderately secure the rest of the system for UX improvements.
Watch for the vulnerability's end result, not the vulnerability.
Create alerts for unusual behavior, and understand what your users do with their machines.
sudo bash shouldn't ever happen, for example.
Check the config file for sshd, look at the system binary command (sshd -T), examine logs centrally for config file change.
Anatomy of a security decision.
Stop users from running low-level systems config commands.
Only allow designated management users to
Users can still be admins and install stuff and change a few GUI settings.
Monitor everything, so you know when users are attempting to
sudo out of bounds.
STIGs and Guides only protect stuff you know about, not what you don't.
XProtect & Gatekeeper - a Good Start.
XProtect Signature-based, download from a sandboxed application.
Gatekeeper is certificate based, and eval'd on first run. Validation, but not wholly singularly reliable.
Not a comprehensive security solution.
Macs don't get viruses! If you're pedantic, that's probably true.
That doesn't mean they're
NIST National Vulnerability Database. 328 CVE Exploits in the last 3 months.
And now, System Integrity Protection.
SIP Validates your system and keeps them free from writes from sources that are not Apple.
Tools You Can Use
osquery(d) (Facebook) Tripwire OSXcollector (Yelp) chef Casper Suite SNORT santa (Google) SANS courses CIS Hardening Guides DoD STIGs NIST Continuous Monitoring Guidelines.
SIP prevents some patching?
Security is a double-edged sword. Tradeoff of SIP of non-static/static divide. Valid Concern, but there are ways to mitigate that risk.
SIP Deactivate/Patch/Reactivate? Possible way to do system patches.
Maybe. But haven't tried.
How do you approach this for clients?
What's normal? We use splunk for logging and regex for searching the logs. We take a lighter touch than the STIG to give the user some leeway. Anything we run through terminal, we collect and watch.
osquery for launchagents and launchdaemons.
Check out the osquery video from PSU Mac Admins 2015
Splunk, universally. There's some tricks to doing this, but it's doable as SSL all-the-way from client back to central server.