Distributed & real time digital forensics at the speed of the cloud
Перейти к файлу
Guillaume Destuynder 524e3f218a [minor] Update cipher ordering
Should match mozilla/server-side-tls#69
2015-06-02 15:04:55 -07:00
actions [doc] fix target in demo shellshock action 2015-05-28 11:40:11 -04:00
conf [minor] various fixes to build server packages 2015-05-14 10:21:43 -04:00
doc [doc] Clarify module interfaces 2015-05-12 14:52:17 -04:00
src/mig [minor] Update cipher ordering 2015-06-02 15:04:55 -07:00
tools [minor] various fixes to build server packages 2015-05-14 10:21:43 -04:00
.gitignore [medium] Windows MSI packaging of the agent 2014-12-28 13:41:23 -05:00
.travis.yml [doc] fix travis build instructions 2015-03-17 11:43:09 -04:00
AUTHORS [doc] add missing AUTHORS file 2014-02-03 10:44:32 -05:00
LICENSE [medium] Makefile support 2014-02-03 10:42:36 -05:00
Makefile Merge branch 'master' of github.com:mozilla/mig 2015-05-28 11:40:57 -04:00
README.md [doc] README update 2015-04-24 12:42:23 -04:00
inotify_make.sh [doc] inotify update to compile client 2014-11-06 23:14:14 -05:00

README.md

MIG: Mozilla InvestiGator

Note: MIG is under heavy development. The code is stable and used in production, but changes may be backward incompatible. Be warned.

Build Status

MIG is OpSec's platform for investigative surgery of remote endpoints.

MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.

Capability Linux MacOS Windows
file inspection check check check
network inspection check check (partial)
memory inspection check check check
vuln management check (planned) (planned)
system auditing (planned) (planned) (planned)

Imagine that it's 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise. Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.

MIG can help. The signature of the vulnerable PHP app (an md5 of a file, a regex on file, or just a filename) can be searches for across all your systems using the file module. Similarly, indicators of compromise such as specific log entries, backdoor files with {md5,sha{1,256,512,3-{256,512}}} hashes, IP addresses from botnets or signature in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few command lines, thousands of systems will be remotely investigated to verify that you're not at risk.

MIG command line demo

MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.

Discussion

Join #mig on irc.mozilla.org

Video presentation

Check out this 10 minutes video for a more general presentation and a demo of the console interface.

MIG youtube video

Documentation

All documentation is available in the 'doc' directory and on http://mig.mozilla.org .

Bug & Issue tracker

We use Bugzilla to track the work on MIG.