setup_macos_clients.md

macOS clients

Local testing

TO test this deployment on a local VM and ingest logs into the SIEMS you NEED to ensure that host machine is connected to jumpbox/VM. If you jsut want to test the logging locally then you can skip setting up the VPN.

1. Copy OpenVPN to VM
2. brew install openvpn-connect
3. Open OpenVPN connect app
4. Import OpenVPN config
5. Enter OpenVPN client password from Google sheet
   1. 
6. Run Ansible playbook

Creating dedicated hosts

1. aws ec2 allocate-hosts --instance-type mac1.metal --availability-zone <availabilityZone - terraform/variables.tf> --auto-placement on --quantity 3 --region <availabilityZone - terraform/variables.tf - leave AZ off>
   1. 
   2. 
   3. Copy the host ID and press q
2. vim terraform/variables.tf scroll down to macos_dedicated_hosts section
   1. Enter the host ID for one openings
   2. 

Init playbook

1. git clone git@github.com:OTRF/macos-workshop
2. cd macos-workshop
3. vim host.ini and append the macOS IP address under [macos_clients]

Run playbook

1. ansible-playbook -i hosts.ini deploy_macos_clients.yml -u threathunter -K
   1. Enter password

Grant OsqueryD full disk access

1. Open Finder
2. Select "GO" at the top then "Go to Folder..."
   1. Enter /usr/local/bin
   2. Find osqueryd binary
3. Open System preference panel
4. Security & privacy > Prinvacy > Full Disk Access
   1. Drag and drop osqueryd binary from Finder to System preference panel
   2. 
5. launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
   1. Stop Osqueryd service
6. launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
   1. Start Osqueryd service

Test Osquery and Filebeat

1. filebeat test output -c /etc/filebeat/filebeat.yml
   1. Test Filebeat + Logstash + OpenVPN connection
   2. 
2. kafkacat -C -b 172.16.50.10:9092 -t osquery -C

Password reset

1. SSH into machine as ec2-user
2. sudo su
3. sudo /usr/bin/dscl . -passwd /Users/<username> <password>
4. sudo rm -r /Users/<username>/Library/Keychains/*

References

Filebeat

• Avoid Ansible command warning
• Create target directory when extracting tarball
• Mac OS/X won't let me mkdir /usr/share/tomcat6, even as root
• Deploying Filebeat on MacOS X
• Filebeat quick start: installation and configuration
• Directory layout
• community.general.launchd – Manage macOS services
• IMPLEMENTING LOGSTASH AND FILEBEAT WITH MUTUAL TLS (MTLS)
• Filebeat - test command

Osquery

• Github - palantir/osquery-configuration
• OPERATION CLEANUP: ERADICATING MALWARE WITH OSQUERY AND KOLIDE
• Installing .pkg with terminal ?
• Auditing with osquery: Part Two — Configuration and Implementation
• community.general.launchd – Manage macOS services
• osquery-configuration/Classic/Endpoints/MacOS/osquery_no_tls.flags
• Installing on macOS
• Deploying Osquery Part 2 - The basics, cont.
• osquery-configuration/Classic/Servers/Linux/osquery.flags