Design a dashboard in Kibana

[micahflee]

Now that the types of data getting collected from osquery is stabalizing, it's time to start visualizing this data. In Kibana, I need to:

• Create an index pattern for Flock data
• Create several visualizations that show the most important data
• Create a dashboard that lays out all of these visualizations

Once this is done (even if it's incomplete), we can export the dashboard (and all associated objects like visualizations and index patterns) into a JSON file using the Kibana import/export API.

Then, the Kibana container should have a script that that auto-imports this JSON so that when you run docker-compose up, Kibana is pre-configured.

[micahflee]

Here is all of the data that Flock Agent collects, as of version 0.0.1 (more details here):

• os_version: The current version of macOS that's on your computer'
• browser_plugins: List of browser plugins, which can allow us to detect if you have malicious ones installed
• safari_extensions: List of Safari extensions, which can allow us to detect if you have malicious ones installed
• opera_extensions: List of Opera extensions, which can allow us to detect if you have malicious ones installed
• chrome_extensions: List of Chrome extensions, which can allow us to detect if you have malicious ones installed
• firefox_addons: List of Safari extensions, which can allow us to detect if you have malicious ones installed
• launchd: What daemons (background services) automatically start of your computer, which malware could use for persistence
• startup_items: What apps automatically start on your computer, which malware could use for persistence
• crontab: What programs are scheduled to run at regular intervals, which malware could use for persistence
• loginwindow1: What loginwindow values are set, including if the guest user is enabled, and which malware could use for persistence on system boot
• loginwindow2: What loginwindow values are set, which malware could use for persistence on system boot
• loginwindow3: What loginwindow values are set, which malware could use for persistence on system boot
• loginwindow4: What loginwindow values are set, which malware could use for persistence on system boot
• alf: How the application firewall is configured
• alf_exceptions: Exceptions to the application firewall, allowing us to identify unwanted firewall holes made by malware or humans
• alf_services: Which network services are allowed through the firewall, allowing us to identify unwanted firewall holes made by malware or humans
• alf_explicit_auths: Processes with explicit authorization for the application firewall, allowing us to identify unwanted firewall holes made by malware or humans
• etc_hosts: Values from the /etc/hosts file, which could be used to redirect or block network communications
• kextstat: What current kernel extensions are loaded; some malware has a kernel expension component and this could help us catch it
• last: A list of the most recent time which users have logged into your computer, which will help use verify assumptions of what accounts should be accessing what computers, and identify computers accessed during a compromise
• installed_applications: List of applications that are currently installed, to help identify malware, adware, or vulnerable applications that are installed
• open_sockets: List of all the open network sockets per process, which could help identify connections to known-bad IP addresses, or odd local or remote port bindings
• logged_in_users: List of all the currently logged in users, which is useful for intrusion detection and incident response
• ip_forwarding: The current status of IP forwarding, which can determine if your computer is being used as a network relay
• ramdisk: A list of ramdisks currently mounted, which an attacker might use to avoid touching the disk for anti-forensics purposes
• listening_ports: List of network ports that are listening for incoming connections, which malware could use for remote access
• suid_bin: List of binary files on your computer with setuid enabled, which could be used for privilege escelation, including privilege escelation backdoors
• arp_cache: A copy of the ARP cache values, which could detect if a local man-in-the-middle attack is in progress
• disk_encryption: Whether disk encryption is enabled
• reverse_shell: Detect reverse shells, which is the first step attackers often take after an initial compromise in order to more easily run commands on your computer

I'm not sure we need to figure out how to visualize all of it -- we can always use the Discover app in Kibana to manually look at the data. But I think we can visualize a lot of it. It will take some time to come up with exactly what information we want to visualize, and how we want it to look.

[micahflee]

Alternatively, maybe we shouldn't import it automatically (though we should still design/keep maintained a default dashboard).

I think there are a number of ways that people will deploy Flock in production, and it's not worth worrying about automating this specifically for docker-compose.