Saturday, December 22, 2007

Open Source NAC and A [Kind of/Sort Of] Agentless Endpoint Posture Assessment for Debuntu Boxes

Previously I described a quite common situation I've encountered where non-compliant laptops and OS's are used by members of security teams, frequently in violation of technology/security policy (anyone else know the term "shadow IT"?) Another use case might by highly-skilled/trusted security consultants that could own your ass if they wanted to and probably already have the keys to the kingdom. A reader noted that one solution would be just to grant an exception to policy for these [already] trusted users, but this doesn't sit too well with me.

I personally would like to have some additional layer of monitoring above and beyond good-faith adherence to policy and the desire to do the right thing. The various Open Source NAC toolsets that are out there (many which seem to be developed within Universities) such as packetfence, FreeNAC, or RINGS seem like overkill and clearly inappropriate for this sort of user base.

What I had in mind was something much lighter weight that:
  • Runs with user-level privileges
  • Requires minimal level of installation, perhaps simple Ruby/Python script minimal to no third party libraries
  • Communicates to a server vs. having the server interrogate the client (i.e. no agent listening for connections back from a centralized server)
  • Provides flexible execution (run as a startup script or within desktop environment, gnome-session something or other)
  • User authentication against to some sort of directory server (so we can associate a given endpoint with a user)
An initial environment would be Debian/Ubuntu (although OSX would be nice, too) that could provide the following information to a Rails/Django web app
  • Linux kernel version and running kernel modules
  • Last apt-get update
  • Hardware (both real and virtual)
  • Whether or not filesystem encryption is enabled (look for /dev/mapper stuff)
  • Information about packages (such as the output of a dpkg -l)
  • Listening services (netstat or lsof)
  • Network information (interfaces, routing)
This assumes that there is something NAC-like (in the sense of segregating non-compliant PC's to a certain network/tunnel) or that users will voluntarily run some sort of script upon login.

That being said, as easy as this is to imagine, I'm sort of ambivalent about the usefulness of something like this (perhaps I've heard too many of the arguments about NAC "fighting the last war"), but it doesn't seem like it would be terribly difficult or time consuming to whip up a small client script that pulled together some basic Linux system information and sent it to a CRUD webapp to provide some basic auditing and reporting. And it wouldn't be much of a stretch to add some policy definition/enforcement based on the data or tie it to a iptables/PF box with anchors to implement different access profiles. Obviously, unlike most of the commercial (or even the Open Source) NAC solutions) this is a L3, n-hop-away solution. No 802.1x, no DHCP, no VLAN assignment, but it is actually deployable and might immediately provide some useful (and perhaps even actionable) information that is higher fidelity than a scan the endpoint with Nmap/Non-Auth Nessus or use passive device/app fingerprinting which seems a waste of time for the problem at hand.

Is there anything out there along these lines?

No comments: