In this post, I’ll be going over the Host Profile dashboard inside of Tetration. It won’t be a long post but it’ll show you some of the details one can gleam from this dashboard.
Let’s start out where we left off in the previous blog post in the Application dashboard and let’s click on a host on the right-hand window.
This will take you to the Host Profile of that single host as one can see below.
This dashboard provides an inventory of this particular server. On the top, one will see the hostname, IP address, scope and annotations that this server has been tagged with.
On the top right side of the dashboard under Agent Profile, one can see the information about the agent installed on that endpoint including the agent software version, OS platform, when it was deployed, etc.
In this dashboard, there are several tabs below the heading that one can drill into that can give certain information about a specific host. I’m going to attempt to go through each one to show some of the useful information shown here.
On this tab, one can see the traffic volume by total bytes or packets over a period of time.
On this tab, one can see the processes running on the machine, the user that started the process, the process ID, the parent process ID, last exec content change, last attribute change, uptime for that process, process binary hash, and the process command line.
One can also filter by process using the filter field on top to search for a specific attribute. For example, the filter below is based on the process command line containing Docker.
On this tab, one can see every single package installed on the host including the name, version, architecture, and publisher.
What’s even cooler is that the inventory also includes the vulnerabilities that were detected and it can list the CVEs for that software package:
One can also filter on the top by CVE score to search for vulnerable software packages. This search can be for packages on a specific server or globally.
Once it’s filtered on this screen, one can highlight the red exclamation point to see the CVEs associated with the software package.
Note: The Tetration cluster automatically downloads a database of vulnerabilities on a regular basis and compares the software packages seen against those vulnerabilities.
This tab is huge for security forensics. With the software sensor, Tetration can see every single process running on the server and every single child process kicked off from that parent process. By hitting the play button on this screen, one can watch every command that was entered that kicked off a process or another process.
One also has the ability to highlight each process and get more details shown on it as the mouse is hovering over it.
Nothing special here. This tab just let’s you know how the agent is configured.
This tab shows the associated interfaces on the host along with their MAC addresses.
JP brought up a great use case for the interfaces: Let’s say a client needs to reboot a switch for an upgrade or another reason and needs to know what applications are going to be affected by rebooting a single top-of-rack switch inside a data center. This can be hard to know if the applications aren’t mapped to the server correctly, if there are bare metal servers, or if VMs are vMotioned around the data center. Using the API in Tetration, one can write a script that would pull the MAC addresses from the switch TCAM table and from Tetration to map out the applications that are associated with those MAC address. Executing a script like that would easily let a client know what applications would be directly affected by rebooting that specific switch.
This tab shows the enforcement that’s configured on the host in that moment and the traffic being allowed in and out of the host. It displays the action (allow/deny), direction, whether it’s IPv4 or IPv6, source and destination IP or subnet, source and destination ports, etc.
This tab can show the enforcement on containers. The lab that we were using didn’t have this so I had to screenshot from here. Since Tetration can provide enforcement on virtual, bare metal, and containers, this separate tab is for the specific containers enforcement policy itself.