Kraken Sentry
Kraken Sentry is agent for SIEM (Security Incident and Event Management). Sentry can be installed to windows and linux servers. Sentry connects to kraken base, sends logs and handles remote control.
Author
- xeraph ( xeraph@nchovy.com)
Command
- sentry.guid
- Print current sentry guid
kraken> sentry.guid 76857641-1623-46f8-8871-1fe1b7ee1343
- Print current sentry guid
- sentry.setGuid [guid]
- Configure sentry guid
kraken> sentry.setGuid 76857641-1623-46f8-8871-1fe1b7ee1343 ok
- Configure sentry guid
- sentry.methods
- List all sentry rpc methods annotated by @SentryMethod
kraken> sentry.methods Sentry Methods ---------------------- connectLogChannel getArpCache getHostName getLoggerFactory getProcesses createLogger getNetStat getNetworkInterfaces getRoutingTable disconnectLogChannel getLoggerFactories getLoggers disconnectLogger removeLogger getDiskPartitions getSystemInfo stopLogger getDate startLogger connectLogger listFiles
- List all sentry rpc methods annotated by @SentryMethod
- sentry.connections
- List current connections
kraken> sentry.connections Connections -------------------- [demo] id=13408463, peer=/10.0.10.10:7140, trusted level=Low, ssl=true
- List current connections
- sentry.bases
- List all configured kraken bases
- Watchdog monitors all base configurations for every 30 seconds, and connect to base automatically if not connected. (See ConnectionWatchdogImpl component)
kraken> sentry.bases Base List ----------------- name=demo, address=/10.0.10.10:7140, key=rpc-agent, ca=rpc-ca
- sentry.addBase [name] [ip or hostname] [port] [key alias] [trust alias]
- Add new kraken base configuration.
kraken> sentry.addBase demo 10.0.10.10 7140 rpc-agent rpc-ca base added
- Add new kraken base configuration.
- sentry.removeBase [name]
- Remote kraken base configuration
kraken> sentry.removeBase demo base removed
- Remote kraken base configuration
Install Guide
- Install Kraken Core
- Download latest Kraken Core and run it.
- Kraken Windows Installer available
- Register certificates
kraken> keystore.register rpc-ca JKS /root/kraken/certs/CA.jks PASSWORD [rpc-ca] key store registered kraken> keystore.register rpc-agent PKCS12 /root/kraken/certs/Agent.pfx PASSWORD [rpc-agent] key store registered
- Install kraken sentry package
- On windows, kraken> pkg.install kraken-windows-sentry
- On linux, kraken> pkg.install kraken-linux-sentry
- Install screenshot:
kraken> pkg.install kraken-windows-sentry Resolving {groupId: org.apache.felix, artifactId: org.apache.felix.ipojo, version: 1.4.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.apache.felix.ipojo 1.4.0 Resolving {groupId: org.krakenapps, artifactId: kraken-ipojo, version: 1.1.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.ipojo 1.1.0 Resolving {groupId: org.jboss.netty, artifactId: netty, version: 3.2.2.Final} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.jboss.netty 3.2.2.Final Resolving {groupId: org.krakenapps, artifactId: kraken-log-api, version: 1.0.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.log.api 1.0.0 Resolving {groupId: org.krakenapps, artifactId: kraken-codec, version: 1.0.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.codec 1.0.0 Resolving {groupId: org.krakenapps, artifactId: kraken-rpc, version: 1.0.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.rpc 1.0.0 Resolving {groupId: org.krakenapps, artifactId: kraken-sentry, version: 1.0.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.sentry 1.0.0 Resolving {groupId: org.krakenapps, artifactId: kraken-winapi, version: 1.0.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.winapi 1.0.0 Resolving {groupId: org.krakenapps, artifactId: kraken-windows-sentry, version: 1.0.0} -> trying to download from http://download.krakenapps.org/ -> resolved -> installing: org.krakenapps.sentry.windows 1.0.0 Starting Bundles -> [OK] org.apache.felix.ipojo 1.4.0 -> [OK] org.krakenapps.ipojo 1.1.0 -> [OK] org.krakenapps.log.api 1.0.0 -> [OK] org.krakenapps.rpc 1.0.0 -> [OK] org.krakenapps.sentry 1.0.0 -> [OK] org.krakenapps.winapi 1.0.0 -> [OK] org.krakenapps.sentry.windows 1.0.0 Complete!
- Set sentry guid
kraken> sentry.guid guid not found. sentry.setGuid first kraken> guid 76857641-1623-46f8-8871-1fe1b7ee1343 kraken> sentry.setGuid 76857641-1623-46f8-8871-1fe1b7ee1343 ok kraken> sentry.guid 76857641-1623-46f8-8871-1fe1b7ee1343
- Configure server address
kraken> sentry.addBase demo 10.0.10.10 7140 rpc-agent rpc-ca base added
- Verify base connection
kraken> sentry.connections Connections -------------------- [demo] id=13408463, peer=/10.0.10.10:7140, trusted level=Low, ssl=true
- Troubleshooting
- Check location, permission and validity of CA certificate and PKCS12 file
- Check firewall rules of server (tcp/7140 port)
Features
Remote Control
BasicCommandHandler provides basic sentry rpc methods. If you want to add new remote rpc methods, create new iPOJO component which implements SentryCommandHandler interface.
public interface SentryCommandHandler {
// remote caller can know which kinds of services are available
Collection<String> getFeatures();
}
Your new sentry rpc method should be annotated by @SentryMethod:
@Component(name = "my-command-handler")
@Provides
public class MyCommandHandler implements SentryCommandHandler {
@Override
public Collection<String> getFeatures() {
return Arrays.asList("time");
}
@SentryMethod
public Date getDate() {
return new Date();
}
You can see your own sentry rpc handler using sentry.methods command:
kraken> sentry.methods Sentry Methods ---------------------- getDate ..omitted..
Process Monitoring
Every platform which want to support process monitoring should implement org.krakenapps.sentry.process.ProcessChecker interface.
public interface ProcessChecker extends Runnable {
ProcessMonitor getProcessMonitor();
}
See Windows Process Checker class for details.
Set process monitoring
kraken> processcheck.set
Description
set process check
Arguments
1. process name: process name (required)
2. check option: allow or deny (required)
kraken> processcheck.set explorer.exe allow
ok
Remove process monitoring
kraken> processcheck.remove
Description
remove process check
Arguments
1. process name: process name (required)
kraken> processcheck.remove explorer.exe
ok
Check immediately
This command will show only status changes. i.e., if running status is not changed from last check, process will not be listed. You can see all target processes at first, but cannot see same result for second time.
kraken> processcheck.check process=Explorer.EXE, option=allow, running=true check completed kraken> processcheck.check check completed
Show process checklist
kraken> processcheck.list Process Checklist --------------------- process=explorer.exe, check option=allow, last check=2010-11-08 02:43:55, last running status=true
Create logger and monitor periodically
kraken> logapi.createLogger process-check local pc test kraken> logapi.startLogger pc 5000 logger started kraken> logapi.loggers Loggers ---------------------- name=local\pc, factory=local\process-check, log count=0, last log=null, last run=2010-11-08 02:51:56
Logger will generate log like this:
[2010-11-08 02:53:46,239] DEBUG (ProcessCheckLogger) - kraken windows sentry: process check log [date=2010-11-08 02:53:46, logger=local\pc, msg=process check: warning, [java.exe] is running]
Process check log will be generated only if process running status is changed.
See also
- Kraken Base
- Platform-specific extensions are available.
History
- 1.0.0 release (2010-12-06)
