
Doorman: an osquery fleet manager - dguido
https://github.com/mwielgoszewski/doorman
======
marcinw
(I am one of the developers of Doorman). Some background, from osquery's site:
"osquery allows you to easily ask questions about your Linux, Windows, and OS
X infrastructure. Whether your goal is intrusion detection, infrastructure
reliability, or compliance, osquery gives you the ability to empower and
inform a broad set of organizations within your company."

I wrote Doorman as a way of utilizing osquery's TLS remoting endpoints,
allowing me to dynamically configure an endpoint with custom queries, as well
as run ad-hoc queries. We use osquery and Doorman at my company to gain
visibility into our laptops in a manner many remote control based applications
don't provide. Besides gaining remote administration functionality to osquery,
we developed Doorman with a security-first attitude. We favor tools like
osquery that don't expose remote command and control capabilities over tools
like Chef or Puppet that concentrates super powers in the hands of a few
people.

One of the stronger points of Doorman is it's builtin rules and alerting
engine. It is one of the few security tools that I honestly can say I "set and
forget" with respects to the rules we write. Want to know every time someone
installs a new Chrome extension? All listening sockets on external interfaces,
and the process name and user/group its owned by? New root certificate
authorities added to the keychain? Done, all thanks to osquery introspection
capabilities coupled with Doorman.

