Assets ====== Zercurity keeps track of all of the assets within your company. Table view ---------- .. image:: _static/assets.png * **Status** An asset can have 4 defined states; **RED**, **ORANGE**, **GREEN** and **UNKNOWN**. You can hover over the asset's status icon to get a description on why its current state has been assigned. * **RED** Either the asset hasn't been heard from in some time. It's whitelist and blacklist definitions are very out of date. Or lastly, the asset has either been miss-configuration, malware has been detected or the asset has made connections to known-bad domains/IPs. * **ORANGE** The assets whitelist and blacklist definitions are 48 hours out-of-date. Or there is a bad configuration of the asset. Meaning that it's no longer compliant. * **GREEN** Everything is a-ok! * **UNKNOWN** This asset is newly provisioned and is awaiting a status check. * **Asset Type** Whether the device is a; **LAPTOP**, **DESKTOP**, **VM**, **SERVER** * **Name/Hostname** The given name to an asset. You can change this at any time. By default, the assets serial number is used. The assets hostname is also provided. * **Team** The team that this asset is a part of. * **Serial/UUID** The serial number of the asset as defined by the manufacturer. The UUID is generated at install time by Zercurity. Zercurity will attempt to use the system's UUID if one is provided. The primary disks UUID or lastly generate a random UUID. * **Last checkin** This is the date and time the asset last checked in. Which means the last time the asset called home. * **Definitions** This is the date and time that the asset last downloaded the whitelist and blacklist definitions. Asset view ---------- This is Zercurity's asset view. It'll give you an overview of your deployed asset. At the top of the page there are three sections dedicated to information about the systems hardware and software configuration including its IP address and location. .. image:: _static/asset.png Below are subsections detailing each aspect of the asset. There include: * :ref:`processes` * :ref:`applications` * :ref:`networking` * :ref:`hard-drives` * :ref:`usb` * :ref:`locations` .. _processes: Asset processes --------------- This view shows you a history of all of the processes that have been executed on an asset. .. image:: _static/asset_processes.png * **PID** This column contains a few bits of information: * **Status Icon** Shows the current state of the running process. * **Processes Id** Shows the process id. * **Parent process** Shows the parent process and its corresponding process id. * **Name** The processes name and risk score. * **User** The user that the process is running under. Including the :doc:`/users` user id (UID). * **Decision** When a process is executed its run through the Zercurity whitelist and blacklist engine. A decision is then made as to whether the process can be run or not. * **ALLOW** Process was executed. * **ALLOW_UNKNOWN** Process was executed but wasn't found within a user defined whitelist. * **BLOCKED** Process was blocked from executing and the user was notified. * **BLOCKED_SLIENT** Process was blocked from executing and the user was not notified. * **Launched** The date and time the process was executed. .. _applications: Asset applications ------------------ Shows you a view of all of the installed applications. .. image:: _static/asset_applications.png * **Risk** The processes's risk score. Represented by either a; **red**, **orange** or **green** icon of the applications platform. * **Red** Caution. The application is known to be malicious and will have been blocked from running. However administrations should investigate the incident. * **Orange** Warning. The application is untrusted or suspicious. This could mean the application is malicious and depending on your configuration may have been executed as a result. You will need to check which assets this application has been installed on. * **Green** Approved. This is a known good and trusted application. Which has been allowed to run on an asset. * **Grey** Unknown. This application's status is unknown. It will be in the process of being checked. * **Name** The application name. * **Version** The version of the application. * **Installed** The date and time of when the application was installed. * **Uninstalled** The date and time of when the application was uninstalled. .. image:: _static/asset_applications.png .. _packages: Asset packages -------------- Shows you all of the packages that have been installed and removed on a given asset. .. image:: _static/asset_packages.png * **Risk** The packages's risk score. Represented by either a; **red**, **orange** or **green** icon of a box. If there is no icon then it means the package has been removed and no longer poses a risk. * **Red** Critical. The package is either known to be malicious or has a critical vulnerability assigned to it. This needs to be fixed as a matter of urgency. * **Orange** Warning. The package is either untrusted or suspicious or has a medium to high vulnerability assigned to it. This will need to be addressed as soon as possible. The package may also be outdated and needs updating. * **Green** Approved. This is a known good and trusted package. Which has no known vulnerabilities assigned to it and is in good health. * **Grey** Unknown. This application's status is unknown. It will be in the process of being checked. * **Name** The package name. * **Version** The version of the package. * **Installed** The date and time of when the package was installed. * **Uninstalled** The date and time of when the package was uninstalled. .. _networking: Asset networking ---------------- Shows you all of the network interfaces that are attached to the asset. This is only a snapshot and not historical. .. image:: _static/asset_networking.png * **Interface** The interface identifier. * **Type** The interface type. Let's you know whether the interface is; **virtual**, **wired**, **wireless** etc. * **Address** Both the physical address (MAC address) and the logical address (IP address) of the network interface. * **Bandwidth** The amount of traffic, in and out of the interface. * **Broadcast** The broadcast address for the interface. .. _hard-drives: Asset hard drives ----------------- Shows you all of the currently mounted hard drives attached to the asset. This will include both internal and external hard drives and removable media. This is only a snapshot and not historical. .. image:: _static/asset_hard_drives.png * **Name** The name of the mounted partition and its corresponding name. * **Type** The device type. Let's you know whether the device is; physical PCI or USB etc. * **Device** The name of the device and its serial number. * **Size** The size of the provisioned partition. * **Encrypted** Displays whether the drive is encrypted and if so the method by which the partition is encrypted. .. _usb: Asset usb devices ----------------- Zercurity provides you a historical view of every removable device that's attached to each one of your assets. .. image:: _static/asset_usb_devices.png * **Device Type** An icon of the type of removable media device. Zercurity uses the base class to determine the device type. Zercurity also uses the devices name to help determine the device type. * **Device/Serial** The name of the device and its serial number. * **Removable** Whether the device is removable or not. * **Address** The devices port address. * **Action** Whether the device was **ADDED** or **REMOVED** from the asset. * **Timestamp** The date and time of when the device was added to the asset. .. _locations: Asset locations --------------- Zercurity is able to track the exact location of a device using the surrounding wifi access points using Osquery's ``wifi_survery`` and mapping that using Google's Maps Geolocation API. This feature is useful to help cross-reference web login for applications using SSO. Zercurity displays location information using Google Maps. Zercurity records a complete history of the assets location history. .. image:: _static/asset_locations.png