MIDAS-Mac Intrusion Detection Analysis System.

January 24, 2018

MIDAS

MIDAS is a framework for developing a Mac Intrusion Detection Analysis System, based on work and collaborative discussions between the Etsy and Facebook security teams. This repository provides a modular framework and a number of helper utilities, as well as an example module for detecting modifications to common OS X persistence mechanisms.
Our mutual goal in releasing this framework is to foster more discussion in this area and provide organizations with a starting point in instrumenting OS X endpoints to detect common patterns of compromise and persistence.

Overview

The midas subdirectory is where the core MIDAS code lives. The entry point is launcher.py. From there, each module in midas/modules is executed and the stdout of the module is written to a log file. When deploying MIDAS, this is the code that's put on user's systems.
The develop subdirectory is where development resources (like a .pylintrc) live.
The templates resource is where template and base resources live. These can be used as a starting point when adding modules.

Architecture

MIDAS allows you to define a set of "modules" that implement host-based checks, verifications, analysis, etc.

Launcher

The launcher.py file exists at the top level of the midas directory. It gathers some simple information about the host it's executing on (such as time, hostname, etc) and defines the ways that it should handle modules of certain languages. To add a supported language, create a new instance of TyLanguage in launcher.py and add it to the SUPPORTED_LANGUAGES list. If you'd like to change the way a certain language is supported (perhaps you'd like all python modules to be executed with a custom version of python), you can change the attributes (such as execution_string) of the language.
Once key definitions are made, the launcher will iterate through all files (note that directories are explicitly skipped) in the modules subdirectory. For each file in the directory, if a language entry is found that indicates how to deal with that filetype, the file is executed and the stdout of the module are appended to a log file in the log subdirectory. Note that a module modules/example.py will generate a log file logs/example.log.

Module language

Modules can be written in any language, so long as a named tuple for that language is defined in midas/launcher.py. These named tuples (which already exist for python, ruby and shell) exist so that MIDAS knows how to handle certain filetypes when it sees them.
As long as your code can be executed and prints something to stdout, it can be a module.

Components

Example module

The file midas/modules/example.py is an example MIDAS module created to illustrate what a MIDAS module might look like. This module performs analysis of LaunchAgents and LaunchDaemons on the host and logs any modifications that it identifies. The rest of the checks and verifications analyze the host firewall configurations and log any additions or differences that are identified. This is not meant to be a complete intrusion detection mechanism alone, instead it is meant as a reference example of what a MIDAS module may look like.

Helpers

There are several helper files in midas/lib/helpers that are generally grouped by category. Functions in these helpers can be imported by modules to assist in general tasks. Some functionality exposed by helpers include:
  • list all weak SSH keys on a host
  • find all files in a given directory with given permissions
  • list all startup items
  • list all LaunchAgents, LaunchDaemons, etc.
  • list and hash all kernel extensions
  • return the SSID of the currently connected WiFi network
  • return the IP and MAC address of the current network gateway
  • return DNS configuration information
  • and much, much more

Config system

The config file, which can be found at midas/lib/config.py is a way to group together information that can be abstracted away from modules. Usually there are things like strings that should be checked in a certain module validation, directories to search during a given check, etc. By abstracting the data away from the individual module/code, it makes it easier for people who might not maintain the code to contribute to it.
Since the config dictionary is operated on via a static method, it does not need to instantiate the Config object in order to use it. To add a new value to the config dictionary, simply add an entry in the class.

                                          Source and download

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )