5. MASTER ASGARD¶
MASTER ASGARD is a single central management console that can control all of your ASGARD systems. It is meant to centrally manage controlled scans on all your ASGARD systems. MASTER ASGARD also provides one central point of management for your Response Playbooks, Evidence Collection and IOC Management.
Since MASTER ASGARD version 2, you install a MASTER ASGARD by promoting a bare ASGARD system with the installation of a special license. After the MASTER ASGARD license installation many functions offer additional options. Howevery from that moment onwards, your MASTER ASGARD controls all endpoints connected to all linked ASGARD systems.
5.1. Hardware Requirements for MASTER ASGARD¶
MASTER ASGARD has the following hardware requirements.
|System memory||16 GB|
|Hard disk||1 TB|
5.2. License Management¶
Once you connect ASGARD systems with MASTER ASGARD, the licensing sections on connected ASGARD systems become inactive. The local ASGARD license will be replaced with the MASTER ASGARD license. Every ASGARD can issue scanning licenses to assets as long as the total number of scanned servers and workstations does not exceed the number of systems in the master license.
5.3. Setting up MASTER ASGARD¶
The setup procedure for MASTER ASGARD is identical to the setup procedure for ASGARD Management Center. Since MASTER ASGARD v2, you install an ASGARD v2 and promote it to MASTER ASGARD v2 through a special license upload.
Note: After upgrading an ASGARD to a MASTER ASGARRD, all previous information and settings on that system will be lost. Don’t upgrade ASGARD systems with connected endpoints, but only newly installed systems.
5.3.1. Default Password Web GUI¶
5.3.2. Default Password Console¶
5.5. Scan Control¶
Scan Control in MASTER ASGARD looks the same as in an ASGARD server. The only difference is that you can select an ASGARD Server or “All ASGARDs” to run the scans on.
5.6. IOC Management¶
ASGARD provides two ways to import custom IOCs, YARA or Sigma rules:
- Upload in a format that THOR understands (see THOR Manual)
- Sync with a MISP instance
All IOCs, rules and MISP events can be used in scans on every connected endpoint.
In version 2.4 of ASGARD it is not yet possible to sync down IOCs, rules or MISP events to connected ASGARD systems and use them in local scans. Future versions of ASGARD will allow that.
5.7. Evidence Collection¶
All collected evidence is available in MASTER ASGARD’s
Evidence Collection section.
In version 2.4 of ASGARD it is not possible to limit the availability of collected evidence, e.g. maling locally collected evidence on an ASGARD only available to local users and not the users on the MASTER ASGARD. Future versions of ASGARD will allow that.
5.8. Download Section¶
Downloads section of MASTER ASGARD doesn’t contain scanner packages since the scanners get downloaded and maintained on each of the connected ASGARD servers only.
Updates section contains a tab in which upgrades for ASGARD can be installed.
A second tab named
Scanners and Signatures gives you an overview of the used scanner and signature versions on all connected ASGARDs.
It is possible to set a certain THOR and Signatures version for each connected ASGARD. However, if automatic updates is configured, this setting has only effect until a new version gets downloaded.
Customers use this feature in cases in which they want to test a certain THOR version before using it in production. In this use case the ASGARD system that runs the test scans is set to automatic updates, while the ASGARD systems in production use versions that administratos set manually after successful test runs.
5.10. User Roles¶
MASTER ASGARD has the following predefined user roles, which can be extended by custom roles.
Note that all users except users with the right
ReadOnly have the right to run scans on endpoints since this is the main function of an ASGARD system.
The following section describes these predefined rights and restrictions that each role can have in detail.
|Allows scan templates management|
|Run playbooks, including playbooks for evidence collection, to kill processes or isolate an endpoint|
|Connect to endsystems via remote console|
|Review the recordings of all remote console sessions|
|Creat and start scans with predefined arguments or scan templates that are not restricted|
|Cannot view inactive assets in asset management.|
|Cannot start scans or task (playbooks)|
|Can’t change anything, can’t run scans or response tasks. Used to generate read-only API keys|
5.11. MASTER ASGARD and Analysis Cockpit¶
It is not possible to link MASTER ASGARD with an Analysis Cockpit and transmit all scan logs via MASTER ASGARD to a single Analysis Cockpit instance. Each ASGARD has to deliver its logs seperately to a connected Analysis Cockpit.
5.12. MASTER ASGARD API¶
The MASTER ASGARD API is documented in the
API Documentation section and resembles the API in ASGARD systems.
However, many API endpoints contain a field in which users select the corresponding ASGARD (via ID) or all ASGARDs (ID=``0``)