Zentral

Zentral

 

Zentral is a new open-source project initiated by Apfelwerk in Summer/Fall 2015. Zentral combines osquery’s powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients. Zentral consolidates the osquery information with inventory data from client management suites, e.g. JAMF Casper Suite and Sal. All details and events stored in a full text search engine.

 

  • Distribute osquery configurations
  • Distribute Santa configurations
  • Trigger notifications for osquery results
  • Trigger notifications for Google Santa policies
  • Store events in ElasticSearch
  • Integrate with Kibana4 + Prometheus
  • Integrate with JAMF Inventory / JSS-API
  • Munki inventory support via Sal

 

The project is under development, new features as well as improved documentation, more tutorials will released over time.

 

Features

Zentral is a new kind of tool. It will initially help #macadmins as an answer for the question:

               How can I run a TLS server for osquery?

We provide a central TLS server for osquery configurations and we add on the concept of probes with zentral/osquery – multiple osquery configurations can be combined with multiple actions and notifications. We already integrate with JAMF JSS, Sal API for inventory, we support Slack, SMS, email and push notifications, and last but not least we install two open source time based visualisation tools along with Zentral: Kibana4 and Prometheus. The data received by Zentral can be searched, processed and visualised in these tools.

 

Zentral’s main features are:

  • Gateway to connect a full stack of open source software
  • Provide multiple configurations for osquery via a pull model over HTTPS
  • Combine osquery or Santa results with flexible notifications and configurable actions
  • Metrics stored into in a full text search engine for time based processing
  • Connects with existent inventory, for OS X clients managed with Munki (SAL) or JAMF CasperSuite

 

Supported Actions/Notifications:

  • Slack (notify into specific channels)
  • Zendesk (ticket creation)
  • Email (send email to groups/individuals)
  • Push notifications (via PushoverAPI to iOS, Android, etc.)
  • JSS API (change group membership)

 

Components

Zentral follows a modular approach and consists of multiple components. At it’s core it is the intelligence to provide filtering and is a processing framework to interface with other tools. A best breed of open source tools is deployed along with Zentral. Core into a operational state when you deploy and run Zentral.

 

  • Redis in-memory cache, used for event queues.
  • PostgreSQL persistent database for inventory and metadata.
  • ElasticSearch, full-text search database for all event data
  • Kibana4, real-time analytics and visualization platform for events
  • Prometheus, monitoring system with a time series database
  • Nginx, high performance web server

 

Note: First deploy option is Docker (for testing Zentral), other options for a scalable deployment will follow (Ansible, etc.).

 

Architecture

Zentral is a new kind of tool. It is build in python and runs on Django Web 1.8 framework.

This diagram illustrates the main architecture areas of Zentral and some of it’s ecosystem components:

Zentral overview

Zentral is build with a modular approach – we and hopefully the community will build other modules over time. The modular approach enables to expand, scale, load balance or even replace functional elements with similar tools where needed.

 

Code Structure

Zentral is build in pure Python and is running in the Django Web Framework. Latest code restructure enables us to run osquery and inventory as Django Apps. Our goal is to enable Zentral.core and other Zentral components to run along with other Django Apps for future benefit. Currently we omitted to protect the Zentral Web interface with other than .htaccess – we think Django provides good solutions for access management and LDAP but rather love first to connect with other Django based Projects like Manana by Oxford-IT, Sal by Graham Gilbert, MunkiWebAdmin2 by Greg Neagle to work towards a unified approach.

 

Documentation

We have released Zentral as Docker image first, best follow the Zentral on Docker Tutorial to get started.

Additional documentation i.e. Zentral configuration, client enrollment, Santa setup, is currently a work in progress:

 

 

Note: We soon move all our documentation to: http://zentral.readthedocs.org/en/latest/

 

Deployment

Initially we provide source code and a Docker image to deploy Zentral https://hub.docker.com/r/zentral/zentral/. We will work on release other deployment options, internally we use Ansible to deploy Zentral to our server.

 

Status

Zentral is currently under development and not stable or fully ready to be used in production. Inventory can be taken from a JSS, we also support Sal as an inventory source for clients using Munki for management. Current notifications are Slack, email and JSS API calls. We are considering many other notifications and sources for inventory. Visualization is Kibana4 and Prometheus, the provided Zentral Docker image will run both tools along with Zentral.

Note: We will next present Zentral at the macad.uk conference in Feb 2016 in London.

 

When does Zentral fit?

If you’re a small to medium sized IT team, responsible for a fleet of mac clients and/or linux clients/servers. If you’d eager to combine the power of osquery, existing inventory, make use of time based event metrics over your fleet of clients, extend your team and tools with a new breed of flexible alerting and monitoring options.

Zentral is ideal as a starting point to integrate osquery with solutions you have already in place, start to extend and build up with the modular structure of Zentral.

 

When does Zentral may not fit?

If you’re a large enterprise, have a dedicated budget and resources for big data analytics you may have other solutions in place already.

 

Example use cases

Example 1: When a rogue USB device is detected, access to VPN or other corporate devices is revoked.

Example 2: When FileVault is disabled by the user, a specified folder containing sensitive files is deleted and the admin notified

Example 3: Third-party installed software that doesn’t get used after 30 days can be automatically slated for removal in munki.

 

Short Introduction Video

Intro to Zentral from November 2015 when participating in the Hack The Mac finals organized by MacBrains in SanFrancisco. Zentral was a nominee in the finals and has won 3rd price at MacBrains Hack The Mac contest 2015.

 

 

Example Demo Video

Early alpha version connecting to JAMF Casper Suite Inventory and JSS API.

Enforce JAMF MDM trigger with Zentral and osquery: