Zentral is a new open-source project initiated by Apfelwerk in Summer/Fall 2015. Zentral combines osquery’s powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients. Zentral consolidates the osquery information with inventory data from client management suites, e.g. JAMF Casper Suite and Sal. All details and events stored in a full text search engine.
The project is under development, new features as well as improved documentation, more tutorials will released over time.
Zentral is a new kind of tool. It will initially help #macadmins as an answer for the question:
How can I run a TLS server for osquery?
We provide a central TLS server for osquery configurations and we add on the concept of probes with zentral/osquery – multiple osquery configurations can be combined with multiple actions and notifications. We already integrate with JAMF JSS, Sal API for inventory, we support Slack, SMS, email and push notifications, and last but not least we install two open source time based visualisation tools along with Zentral: Kibana4 and Prometheus. The data received by Zentral can be searched, processed and visualised in these tools.
Zentral’s main features are:
Zentral follows a modular approach and consists of multiple components. At it’s core it is the intelligence to provide filtering and is a processing framework to interface with other tools. A best breed of open source tools is deployed along with Zentral. Core into a operational state when you deploy and run Zentral.
Note: First deploy option is Docker (for testing Zentral), other options for a scalable deployment will follow (Ansible, etc.).
Zentral is a new kind of tool. It is build in python and runs on Django Web 1.8 framework.
This diagram illustrates the main architecture areas of Zentral and some of it’s ecosystem components:
Zentral is build with a modular approach – we and hopefully the community will build other modules over time. The modular approach enables to expand, scale, load balance or even replace functional elements with similar tools where needed.
Zentral is build in pure Python and is running in the Django Web Framework. Latest code restructure enables us to run
inventory as Django Apps. Our goal is to enable Zentral.core and other Zentral components to run along with other Django Apps for future benefit. Currently we omitted to protect the Zentral Web interface with other than
.htaccess – we think Django provides good solutions for access management and LDAP but rather love first to connect with other Django based Projects like
Manana by Oxford-IT,
Sal by Graham Gilbert,
MunkiWebAdmin2 by Greg Neagle to work towards a unified approach.
We have released Zentral as Docker image first, best follow the Zentral on Docker Tutorial to get started.
Additional documentation i.e. Zentral configuration, client enrollment, Santa setup, is currently a work in progress:
Note: We soon move all our documentation to: http://zentral.readthedocs.org/en/latest/
Initially we provide source code and a Docker image to deploy Zentral https://hub.docker.com/r/zentral/zentral/. We will work on release other deployment options, internally we use Ansible to deploy Zentral to our server.
Zentral is currently under development and still far from being stable or fully ready to be used in production. Inventory can be taken from a JSS, we also support Sal as an inventory source for clients using Munki for management. Current notifications are Slack, email and JSS API calls. We are considering many other notifications and sources for inventory. Visualization is Kibana4 and Prometheus, the provided Zentral Docker image will run both tools along with Zentral.
Zentral is not ready for production but ready for contribution.
Note: We will next present Zentral at the macad.uk conference in Feb 2016 in London.
If you’re a small to medium sized IT team, responsible for a fleet of mac clients and/or linux clients/servers. If you’d eager to combine the power of osquery, existing inventory, make use of time based event metrics over your fleet of clients, extend your team and tools with a new breed of flexible alerting and monitoring options.
Zentral is ideal as a starting point to integrate
osquery with solutions you have already in place, start to extend and build up with the modular structure of Zentral.
If you’re a large enterprise, have a dedicated budget and resources for big data analytics you may have other solutions in place already.
Example 1: When a rogue USB device is detected, access to VPN or other corporate devices is revoked.
Example 2: When FileVault is disabled by the user, a specified folder containing sensitive files is deleted and the admin notified
Example 3: Third-party installed software that doesn’t get used after 30 days can be automatically slated for removal in munki.
Intro to Zentral from November 2015 when participating in the Hack The Mac finals organized by MacBrains in SanFrancisco. Zentral was a nominee in the finals and has won 3rd price at MacBrains Hack The Mac contest 2015.
Early alpha version connecting to JAMF Casper Suite Inventory and JSS API.
Enforce JAMF MDM trigger with Zentral and osquery: