Protecting Mac OS X systems is a hot topic these days. Their prevalence in enterprise environments has been on the rise over the past decade, and the question of how to secure them remains a mystery to many. This post will discuss new methods for securing Mac OS X.
The internal security teams at Etsy, Facebook and GitHub recently released an interesting project: Mac OS X Intrusion Detection & Analysis System (MIDAS). MIDAS is an open source HIDS that was designed around the Mac OS X operating system. It is still in it's infancy, having only been published a few months ago. The code is up on GitHub under an Open Source license. As you may know we love open source projects at AlienVault, so we are very excited about this. Also very few alternatives exist both in open and closed source markets for OS X.
MIDAS is implemented as a collection of ‘modules', and the authors provide a few elementary modules that serve as examples for how to write your own:
- Property Lists (.plist files)
- Kernel Extensions
In addition to these full modules, they provide helper functions to make building your own modules easier. Some helpers include:
- List (weak) ssh keys
- Return SSID of currently connected network
- List DNS configuration information
- list all LaunchAgents and LaunchDaemons
Mercury 3D Space Survey Screensaver for Mac OS X v.1.0.0.3 Take a tour to the beautiful Mercury, the closest planet to the Sun and the eighth largest. Launch this screensaver and be impressed by the realistic colorful space scenes. Midas for Mac is included in Developer Tools.
- Feb 01, 2017 OS: Mac OS X v10.6, and above; Processor: Intel® Core™ Duo 1.83GHz or faster processor; Memory: 512 MB RAM; Storage: 160 MB available space.
- Linux, Unix, Mac OS X, Windows: FEATool Multiphysics: MATLAB FEM and PDE multiphysics simulation toolbox: Precise Simulation: 1.10: 2019-05-17: Proprietary EULA: Free for personal use: Windows, Mac OS X, Linux, Unix: FreeFEM: FreeFEM is a free and open-source parallel FEA software for multiphysics simulations.
MIDAS writes its results to a directory of log files:
MIDAS has a built in custom Object Relational Mapping (Called Trip Yarn ORM or TyORM), and results fall into three categories: new, changed, and removed. Examples of each result type are shown below, respectively:
MIDAS doesn't have any centralized collection and there is no concept of an ‘alarm', so it expects you can do that in your environment. While MIDAS would probably work fine with any SIEM, AlienVault's OSSIM is the only open source SIEM and therefore it is an ideal candidate for MIDAS integration. Integrating MIDAS with AlienVault products is simple. Let's take a look:
First you will need an OS X machine with MIDAS on it. Our fork of MIDAS comes with everything you need for the integration. Our repository also contains some additional detection metrics including a module to watch user creation and removal, to detect payloads that add or remove user accounts. Grab the MIDAS source code from our repository and put it on a Mac. Our repository is here.
To configure MIDAS on the OS X endpoint:
- Install the netsyslog package for python. This is how the logs will be sent to USM.
- Add the IP of your USM instance to the MIDAS configuration: /midas/modules/lib/config.py: config[‘alienvault_instance'] = '1.2.3.4'
Moving on to USM, we need to enable the MIDAS plugin. There are two files that USM needs from our MIDAS repository:
- alienvault_integration/midas.cfg
- alienvault_integration/midas.sql
Put these two files on your USM instance then you can copy the plugin (.cfg) file to the plugins directory:
Update the SQL table definitions:
Restart the server:
Next, in the web UI, enable the MIDAS plugin. Inside Configuration > Deployment, find your USM instance in the AlienVault center and click more info on the right:
Mac Os Download
Go to the Sensor Configuration tab:
- List (weak) ssh keys
- Return SSID of currently connected network
- List DNS configuration information
- list all LaunchAgents and LaunchDaemons
Mercury 3D Space Survey Screensaver for Mac OS X v.1.0.0.3 Take a tour to the beautiful Mercury, the closest planet to the Sun and the eighth largest. Launch this screensaver and be impressed by the realistic colorful space scenes. Midas for Mac is included in Developer Tools.
- Feb 01, 2017 OS: Mac OS X v10.6, and above; Processor: Intel® Core™ Duo 1.83GHz or faster processor; Memory: 512 MB RAM; Storage: 160 MB available space.
- Linux, Unix, Mac OS X, Windows: FEATool Multiphysics: MATLAB FEM and PDE multiphysics simulation toolbox: Precise Simulation: 1.10: 2019-05-17: Proprietary EULA: Free for personal use: Windows, Mac OS X, Linux, Unix: FreeFEM: FreeFEM is a free and open-source parallel FEA software for multiphysics simulations.
MIDAS writes its results to a directory of log files:
MIDAS has a built in custom Object Relational Mapping (Called Trip Yarn ORM or TyORM), and results fall into three categories: new, changed, and removed. Examples of each result type are shown below, respectively:
MIDAS doesn't have any centralized collection and there is no concept of an ‘alarm', so it expects you can do that in your environment. While MIDAS would probably work fine with any SIEM, AlienVault's OSSIM is the only open source SIEM and therefore it is an ideal candidate for MIDAS integration. Integrating MIDAS with AlienVault products is simple. Let's take a look:
First you will need an OS X machine with MIDAS on it. Our fork of MIDAS comes with everything you need for the integration. Our repository also contains some additional detection metrics including a module to watch user creation and removal, to detect payloads that add or remove user accounts. Grab the MIDAS source code from our repository and put it on a Mac. Our repository is here.
To configure MIDAS on the OS X endpoint:
- Install the netsyslog package for python. This is how the logs will be sent to USM.
- Add the IP of your USM instance to the MIDAS configuration: /midas/modules/lib/config.py: config[‘alienvault_instance'] = '1.2.3.4'
Moving on to USM, we need to enable the MIDAS plugin. There are two files that USM needs from our MIDAS repository:
- alienvault_integration/midas.cfg
- alienvault_integration/midas.sql
Put these two files on your USM instance then you can copy the plugin (.cfg) file to the plugins directory:
Update the SQL table definitions:
Restart the server:
Next, in the web UI, enable the MIDAS plugin. Inside Configuration > Deployment, find your USM instance in the AlienVault center and click more info on the right:
Mac Os Download
Go to the Sensor Configuration tab:
Inside the Sensor Configuration, go to the deployment section, find MIDAS in the list, and click the +. Click ‘Apply Changes' to enable MIDAS. If you don't see MIDAS in the list of available plugins, you may have forgotten to add the midas.cfg file to the plugins directory, or run the ossim-db command above.
Midas Mac Os Download
Now that the MIDAS plugin is enabled, we can test it by sending some example log messages to syslog and confirming their presence in the SIEM. For this we have provided an example MIDAS log in the repository:
You can send these example events to the USM syslog by issuing the following command:
You should now see these events in the SIEM events:
Mac Os Catalina
If you examine an event in detail, you can confirm the plugin is correctly parsing the log messages. Here we see that a new plist was discovered on 10.0.1.90:
We now have events flowing from the OS X machine to USM. MIDAS is not a daemon or agent so it needs to be invoked in order to run. You can execute MIDAS by running
This will create the database file on first run in the working directory named midas_hids.sqlite. Now when you run MIDAS rather than the valuable data it generates sitting in a log file on one of your endpoints, the data goes straight to USM where we can leverage other data sources and types of analysis for enhanced security posture.
Midas Mac Download
Stay tuned for a followup on running MIDAS scheduled task (launchctl), detecting malware with MIDAS and USM, and correlation directives.
