Distributed & real time digital forensics at the speed of the cloud
Перейти к файлу
Zack Mullaly 4a53c96bd7
removed tests for code we wont be using
2018-11-06 15:20:35 -05:00
actions [minor] remove upgrade module and additional references to module 2016-12-21 15:08:49 -06:00
aws Cloudtrail stack for creating an IAM user with a managed policy that we can safely use to let Travis push to S3. Courtesy of Andrew Krug 2018-08-27 12:27:21 -04:00
client Merge branch 'master' into remove-mig-ninja 2018-07-18 16:51:53 -07:00
conf loader: load configuration from external configuration file 2017-09-12 09:56:55 -05:00
database Establish a relationship between actions and the agents targeted by them when actions are inserted into postgres 2018-10-31 16:20:32 -04:00
doc Instead of passing in a queue name to retrieve actions, the API will accept the agent's ID 2018-10-31 12:07:03 -04:00
mig-agent Verify that heartbeat messages contain sensible data and that agents are authorized to upload heartbeats before saving them 2018-10-09 17:24:32 -04:00
mig-api Removing code we won't be using 2018-11-06 15:20:09 -05:00
mig-loader Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
mig-runner Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
mig-scheduler Removed functionality for monitoring heartbeats from the scheduler 2018-11-06 15:19:27 -05:00
modulepack Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
modules Removed unused variable 2018-10-04 13:11:50 -04:00
pgp Fixing some errors raised by tests 2018-07-26 15:17:47 -04:00
releases Use consistent whitespacing 2018-08-22 16:02:01 -04:00
runner-plugins Added a comment to describe the new UseProxy field for consistency 2018-10-19 10:54:51 -07:00
service Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
testing removed tests for code we wont be using 2018-11-06 15:20:35 -05:00
testutil Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
tools Do some error handling to make sure we read the git log okay 2018-08-22 16:32:09 -04:00
vendor vendor aws-sdk-go 2017-09-20 15:31:11 -05:00
.gitignore update gitignore, no need to explicitly ignore cfg files 2017-10-15 22:30:20 -05:00
.travis.yml New encrypted secret for deploying to S3 using the new user we created with our cloudtrail stack 2018-08-27 12:44:46 -04:00
AUTHORS [doc] add Rob Murtha to AUTHORS file 2016-12-22 15:52:26 -06:00
CONTRIBUTING.md update CONTRIBUTING.md, remove requirement to tag commits 2017-07-12 09:43:39 -05:00
Dockerfile Update scripts and docs to point to github.com/mozilla/mig 2018-07-11 10:23:51 -07:00
LICENSE [medium] Makefile support 2014-02-03 10:42:36 -05:00
Makefile Update Makefile to have it compile the renamed config tool 2018-08-25 14:21:09 -04:00
README.md Update scripts and docs to point to github.com/mozilla/mig 2018-07-11 10:23:51 -07:00
acl.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
acl_test.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
action.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
action_test.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
agent.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
command.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
constants.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
investigator.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
loader.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
logging_posix.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
logging_windows.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
manifest.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
misc.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
runner.go Update import statements to point to github.com/mozilla/mig/ 2018-07-11 10:11:22 -07:00
version.go Update occurrences outside of import statement 2018-07-11 10:14:54 -07:00

README.md

MIG: Mozilla InvestiGator

Build Status

MIG is Mozilla's platform for investigative surgery of remote endpoints.

Quick Start w/ Docker

You can spin up a local-only MIG setup using docker. The container is not suitable for production use but lets you experiment with MIG quickly, providing a single container environment that has most of the MIG components available.

To pull from Docker Hub:

$ docker pull mozilla/mig
$ docker run -it mozilla/mig

Or, if you have the source checked out in your GOPATH you can build your own image:

$ cd $GOPATH/src/github.com/mozilla/mig
$ docker build -t mozilla/mig:latest .
$ docker run -it mozilla/mig

Once inside the container, you can use the MIG tools to query a local agent, as such:

mig@5345268590c8:~$ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f
1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO
Following action ID 7978299359234.
 1 / 1 [=========================================================] 100.00% 0/s4s
100.0% done in 3.029105958s
1 sent, 1 done, 1 succeeded
ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search 's1'
1 agent has found results

To explore the capabilities of MIG, take a look at the CheatSheet.

What is this?

MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.

Capability Linux MacOS Windows
file inspection check check check
network inspection check check (partial)
memory inspection check check check
vuln management check (planned) (planned)
log analysis (planned) (planned) (planned)
system auditing check (planned) (planned)

Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise (IOCs). Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.

MIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you're not at risk.

MIG command line demo

MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.

Technology

MIG is built in Go and uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ and stored in a Postgres database.

It is:

  • Massively Distributed means Fast.
  • Simple to deploy and Cross-Platform.
  • Secured using OpenPGP.
  • Respectful of privacy by never retrieving raw data from endpoints.

Check out this 10 minutes video for a more general presentation and a demo of the console interface.

MIG youtube video

MIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below:

MIG @ DFIR Summit 2015

Discussion

Join #mig on irc.mozilla.org (use a web client such as mibbit).

Documentation

All documentation is available in the 'doc' directory and on http://mig.mozilla.org .