Garrison is a security service for consolidating alerts from many other systems down to a single web dashboard.
This project is in active development, we aim to always keep it functional, however we may break things from time to time. If you spot a problem, please raise a GitHub issue.
Garrison is made up of two parts...
- Dashboard
- Agents
A Ruby on Rails web app, which utilizes a PostgreSQL database for alert storage.
These populate the alerts you see in the dashboard, they are primarily lightweight docker containers. They are responsible for sending data to the web API which populates the interface.
There are some pre-built agents, but you can create your own agents very easily if you need to.
We provide pre-build Docker containers for all parts of the service which are available on Docker Hub.
- Dashboard - https://hub.docker.com/r/forward3d/garrison/
- Agents - See individual agent documentation
TODO
There are some global configuration options for agents, these are provided to the agent containers via environmental variables. Some agents may have additional configuration options, however these will be documented with the individual agent.
Each agent must be registered before you use them as they need an Agent UUID. You can get this by POSTing to the API...
curl -d '{"agent": {"source": "aws-rds", "check": "check_engine_version"}}' -H "Content-Type: application/json" -X POST https://garrison.internal.acme.com/api/v1/agents
This is done so that alerts can be traced back to a single run of an agent, all the way down to the specific check type.
| Environmental Variable | Description |
|---|---|
GARRISON_URL |
URL to the Garrison web interface eg. https://garrison.internal.acme.com |
GARRISON_AGENT_UUID |
The UUID that was previously registered with the API |
All optional variables will contain a sane default by the individual check itself, these options are provided for if you want to override that default.
| Environmental Variable | Description |
|---|---|
GARRISON_ALERT_SOURCE |
Source slug eg. aws-rds, cve-detail |
GARRISON_ALERT_SEVERITY |
Severity slug eg. critical, high, medium, low, info [1] |
GARRISON_ALERT_FAMILY |
Family slug eg. attack, infrastructure, software, networking [1] |
GARRISON_ALERT_TYPE |
Type slug eg. security, compliance, informational [1] |
GARRISON_ALERT_DEPARTMENTS |
Comma Separated list of Department slugs eg. it,development [2] |
GARRISON_AUTO_OBSOLETE |
Setting this to anything will automatically mark Alerts generated by previous runs by this agent as obsolete |
- Or any other custom ones you have created within Garrison.
- Departments must already exist.
This is just a list of the official agents, you might find more with the GitHub Tag garrison-agent