PolyLogyx Endpoint Security Platform (ESP) - Community Edition
PolyLogyx ESP leverages the Osquery tool, with PolyLogx Extension to provide endpoint visibility and monitoring at scale. To get the details of the architecture of the full platform, please read the platform docs. This repository provides the community release of the platform which focuses on the Osquery based agent management to provide visbility into endpoint activities, query configuration management, a live query interface and alerting capabilities based on security critical events.
- git client software
- Internet connectivity
- 5000 and 9000 ports should be available and accessible through firewall
- Docker(18.03.1-CE or above) and docker-compose (1.21.1 or above)
Build and deploy
After you install Docker and Docker Compose, you can install the PolyLogyx server. Please ensure that the following commands are executed from a root/administrator privileged terminal.
Clone this repository.
~/Downloads$ git clone https://github.com/polylogyx/plgx-esp.git
Cloning into 'plgx-esp'...
Switch to the folder where the repository is cloned.
~/Downloads\$ cd plgx-esp/
Enter the certificate-generate.sh script to generate certificates for osquery.
~/Downloads/plgx-esp$ sh ./certificate-generate.sh <IP address>
Generating a 2048 bit RSA private key .........................................................................................+++ .........................+++ writing new private key to 'nginx/private.key'
In the syntax, <IP address> is the IP address of the system on which on to host the PolyLogyx server. This will generate the certificate for osquery (used for provisioning clients) and place the certificate in the nginx folder.
Modify and save the .env file.
- Edit the following configuration parameters in the file. In the syntax, replace the values in angle brackets with required values.
ENROLL_SECRET=<secret value> POLYLOGYX_USER=<user login name> POLYLOGYX_PASSWORD=<login password> RSYSLOG_FORWARDING=true VT_API_KEY=<VirusTotal Api Key> IBMxForceKey=<IBMxForce Key> IBMxForcePass=<IBMxForce Pass> PURGE_DATA_DURATION=<number of days> THREAT_INTEL_LOOKUP_FREQUENCY=<number of minutes>
|ENROLL_SECRET||Specifies the enrollment shared secret that is used for authentication.|
|POLYLOGYX_USER||Refers to the user login name for the PolyLogyx server.|
|POLYLOGYX_PASSWORD||Indicates to the password for the PolyLogyx server user.|
|RSYSLOG_FORWARDING||Set to true to enable forwarding of osquery and PolyLogyx logs to the syslog receiver by using rsyslog.|
|VT_API_KEY||Represents the VirusTotal API key.|
|IBMxForceKey||Represents the IBMxForce key.|
|IBMxForcePass||Specifies the IBMxForce pass.|
|PURGE_DATA_DURATION||Specifies the frequency (in number of days) for purging the data.|
|THREAT_INTEL_LOOKUP_FREQUENCY||Specifies the frequency (in minutes) for fetching threat intelligence data.|
2. Save the file.
Run the following command to start Docker compose.
docker-compose -p 'plgx-esp' up -d
Typically, this takes approximately 10-15 minutes. The following lines appear on the screen when Docker starts:
Starting plgx-esp_postgres_1 ... done Starting plgx-esp_plgx-esp_1 ... done Attaching to plgx-esp_rabbit1_1, plgx-esp_postgres_1, plgx-esp_plgx-esp_1 . . . Server is up and running```
Log on to server using following URL using the latest version of Chrome or Firefox browser.
In the syntax,
<IP address>is the IP address of the system on which the PolyLogyx server is hosted. This is the IP address you specified in step 3.
Ignore the SSL warning, if any.
Log on to the server using the credentials provided above at step 5a.
Provision the clients. For more information, see Provisioning the PolyLogyx Client for Endpoints.
Uninstalling the Server
To uninstall the PolyLogyx server, run the following command to clean-up existing Docker images and containers.
~/Downloads\$ sh ./docker-cleanup.sh
Note: This will clean all the images and containers.
Uninstalling the Agent
Agent from the endpoints can be uninstalled following the instructions here. If for any reasons these instructions do not work, then a brute force clean could be accomplished on the Windows sytems using agent_cleanup.bat file provided as a part of this repository. The batch file can be downloaded on the target system and invoked from an administrator privileged command prompt.
PolyLogyx ESP Components
- plgx-esp - Manages requests coming from endpoint
- plgx-esp-ui - Mangement server for taking actions, modifying properties of an endpoint.
PolyLogyx ESP leverages osquery's TLS configuration, logger, and distributed read/write endpoints and provides a basic set of default configurations to simplify Osquery deployment. The platform also provides a Client Provisioning Tool (CPT) that wraps the agent installation via a thin installer. The CPT tool can be downloaded from the main page on the server UI which also gives the instruction on running the CPT at individual endpoint. For mass deployment, a centralized system like SCCM can be used.
Osquery is cross platform agent that supports 64 bit variants of Windows (7 and above), MacOS and all the popular Linux distributions (Ubuntu, Centos, RedHat etc). PolyLogyx ESP's agent is built upon Osquery and therefore the supported endpoints are the ones as supported by Osquery.
PolyLogyx ESP API SDK
PolyLogyx ESP can be programatically interacted with using the extensive REST API interface. This allows for multiple use case like Incident Response, Threat Hunting, Compromise Assessment, Compliance checks etc to be easily served with the platform. This also provides an easy for integration with SOAR platforms
Integration with Big Data/Analytic systems
PolyLogyx ESP is packaged with an rSysLog container. This container can be configured to stream the query results and other logs from the endpoint population to the back-end systems like Splunk, ELK, GrayLog etc for cross-product correlation, alert enrichments and other SIEM related use cases.
To configure rsyslog forwarding modify the rsyslogd.conf and specify the destination address of the server accepting logs in syslog format. In the absense of any destination address, the container may not come up. It can be configured at a later point, although the container will have to be manually started.
PolyLogyx ESP - Community Edition License
Please read the LICENSE file for details on the license.