Enterprise Deployment
Large-scale deployment planning and fleet management for Aquilon DLP across enterprise environments.
Overview
Enterprise deployment addresses:
- Scaling to hundreds or thousands of endpoints
- Multi-platform environments (macOS and Linux)
- Centralized configuration management
- Compliance reporting and monitoring
- Fleet health and remediation
Planning
Deployment Scope
Before deploying, define your scope:
| Factor | Considerations |
|---|---|
| Endpoints | Total count, platform mix, geographic distribution |
| Compliance | Required frameworks (HIPAA, PCI DSS, SOX, ISO 27001) |
| Policies | Standard vs custom, per-department variations |
| Monitoring | Alert routing, SIEM integration, dashboards |
| Support | Help desk preparation, escalation paths |
Rollout Strategy
Recommended: Staged rollout
| Phase | Scope | Duration | Goals |
|---|---|---|---|
| Pilot | IT/Security (10-50) | 1 week | Validate deployment, catch issues |
| Early Adopter | Willing teams (100-500) | 1 week | Broader testing, refine process |
| General | All remaining | 2-4 weeks | Full production rollout |
For each phase:
- Deploy configuration and profiles
- Monitor for issues (24-48 hours)
- Address any problems
- Proceed to next phase
Success Criteria
Define metrics before deployment:
- Installation success rate > 99%
- FDA grant rate (macOS) > 99%
- Service running rate > 99%
- Alert generation within 24 hours
- No critical issues in pilot
Configuration Management
Centralized Configuration
For consistent deployment across endpoints, centralize configuration:
Option A: MDM-deployed configuration file
- Deploy
/etc/aquilon-dlp/aquilon_dlp_config.tomlvia MDM - Update by redeploying profile
Option B: Configuration management (Ansible, Chef, Puppet)
# Ansible example
- name: Deploy Aquilon DLP config
template:
src: aquilon_dlp_config.toml.j2
dest: /etc/aquilon-dlp/aquilon_dlp_config.toml
mode: '0644'
notify: restart aquilon-dlp
Department-Specific Policies
Different departments may need different policies:
# Example: Finance department config
[policies]
enabled_policies = ["gdpr", "ccpa", "sox", "pci_dss"]
# Other departments would use different policies:
# - Healthcare: ["gdpr", "hipaa"]
# - Engineering: ["gdpr", "ccpa"]
Deploy department-specific configs via:
- MDM smart groups/blueprints
- Configuration management role assignments
- AD group membership
Tracking Deployment
Track active installations:
- Use MDM inventory reports
- Query OSQuery fleet
- Monitor Prometheus endpoint count
Monitoring and Alerting
OSQuery Fleet Queries
Schedule queries across your fleet:
-- Daily: Deployment health
SELECT
hostname,
(SELECT COUNT(*) FROM aquilon_dlp_alerts) AS total_alerts,
(SELECT COUNT(*) FROM aquilon_dlp_alerts WHERE severity = 'critical') AS critical_alerts
FROM system_info;
-- Hourly: Alert summary
SELECT
policy,
severity,
COUNT(*) AS count
FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 3600)
GROUP BY policy, severity;
Prometheus Metrics
Configure Prometheus scraping:
# prometheus.yml
scrape_configs:
- job_name: 'aquilon-dlp'
static_configs:
- targets: ['host1:9090', 'host2:9090', ...]
# Or use service discovery
file_sd_configs:
- files:
- 'targets/aquilon-dlp/*.json'
Key metrics to monitor:
aquilon_dlp_scans_total- Scan volume by policyaquilon_dlp_alerts_total- Alert count by severityaquilon_dlp_cache_hits_total- Cache efficiencyaquilon_dlp_scan_duration_seconds- Performance
Grafana Dashboards
Enterprise customers receive pre-built dashboards:
- Compliance Overview: Policy coverage across fleet
- Performance: Scan rates, latency, resource usage
- Alerts: Real-time alert visualization
Contact support@aquilonsecurity.com for dashboard templates.
SIEM Integration
Forward alerts to your SIEM via:
Structured logging:
# Configure logging via environment variable
export RUST_LOG=info
# Logs are output to stdout in structured JSON format
# Configure your SIEM to ingest from osquery results or log files
Note: Direct syslog forwarding is a planned feature. Currently, integrate via OSQuery scheduled queries.
OSQuery scheduled queries: Configure OSQuery to forward aquilon_dlp_alerts to SIEM.
Fleet Health
Health Checks
Monitor endpoint health:
Service running:
# macOS
sudo launchctl list | grep -q "com.aquilonsecurity.dlp" && echo "Running" || echo "Stopped"
# Linux
systemctl is-active aquilon-dlp
Recent alerts:
SELECT * FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 86400);
FDA status (macOS):
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT auth_value FROM access
WHERE service = 'kTCCServiceSystemPolicyAllFiles'
AND client = 'dev.aquilon.dlp-plugin';"
Common Issues
Service Not Running
Diagnosis:
# macOS
sudo launchctl list | grep aquilon
tail -100 /var/log/aquilon-dlp/stderr.log
# Linux
systemctl status aquilon-dlp
journalctl -u aquilon-dlp -n 100
Causes:
- Configuration error (run
–validate-config) - Database lock (another instance running)
- Missing permissions
Remediation:
- Fix configuration issue
- Kill duplicate processes
- Restart service
FDA Not Granted (macOS)
Diagnosis:
# Check profile
sudo profiles list | grep aquilon
# Check TCC database
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT auth_value FROM access
WHERE service = 'kTCCServiceSystemPolicyAllFiles'
AND client = 'dev.aquilon.dlp-plugin';"
Remediation:
- Verify PPPC profile installed
- Remove app bundle
- Reinstall via MDM
- Verify TCC entry shows
auth_value = 2
No Alerts Generated
Diagnosis:
-- Check for recent alerts
SELECT COUNT(*) as alert_count, policy
FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 86400)
GROUP BY policy;
Causes:
- No sensitive data in monitored paths
- Policies not enabled in configuration
- Exclusions too broad
Remediation:
- Review enabled policies
- Check watch_paths include relevant directories
- Review exclude_paths for over-exclusion
- Test with known sensitive data
High Resource Usage
Diagnosis:
# Check CPU/memory (use aquilon-dlp-enterprise or aquilon-dlp-basic based on edition)
top -pid $(pgrep -f aquilon)
# Check alert count
osqueryi "SELECT COUNT(*) FROM aquilon_dlp_alerts;"
Causes:
- Monitoring high-churn directories
- Large files without size limits
- Too many workers
Remediation:
# Add exclusions
exclude_paths = [
"/Users/*/.cache/%%",
"/home/*/.npm/%%",
"**/*.iso",
"**/*.dmg"
]
# Limit file size
[scan]
max_scan_size_mb = 100
# Reduce workers
[worker]
num_workers = 2 # Default is 4
Automated Remediation
MDM Remediation Policies
Jamf Pro - Extension Attribute for FDA status:
#!/bin/bash
AUTH=$(sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT auth_value FROM access
WHERE service = 'kTCCServiceSystemPolicyAllFiles'
AND client = 'dev.aquilon.dlp-plugin';" 2>/dev/null)
if [ "$AUTH" = "2" ]; then
echo "<result>Granted</result>"
else
echo "<result>Not Granted</result>"
fi
Smart Group for remediation:
- Criteria: Extension Attribute “FDA Status” is “Not Granted”
- Policy: Reinstall Aquilon DLP package
Ansible Remediation Playbook
---
- name: Remediate Aquilon DLP issues
hosts: dlp_endpoints
tasks:
- name: Check service status
service:
name: aquilon-dlp
state: started
enabled: yes
- name: Validate configuration
command: aquilon-dlp --validate-config /etc/aquilon-dlp/aquilon_dlp_config.toml
register: config_check
failed_when: config_check.rc != 0
- name: Restart if config changed
service:
name: aquilon-dlp
state: restarted
when: config_changed | default(false)
Compliance Reporting
Generating Reports
Use OSQuery to generate compliance reports:
-- HIPAA compliance summary
SELECT
date(timestamp, 'unixepoch') AS date,
COUNT(*) AS total_findings,
SUM(CASE WHEN severity = 'critical' THEN 1 ELSE 0 END) AS critical,
SUM(CASE WHEN severity = 'high' THEN 1 ELSE 0 END) AS high
FROM aquilon_dlp_alerts
WHERE policy = 'HIPAA'
GROUP BY date(timestamp, 'unixepoch')
ORDER BY date DESC;
-- PCI DSS cardholder data exposure
SELECT
path,
timestamp,
scanner,
severity
FROM aquilon_dlp_alerts
WHERE policy = 'PCI_DSS'
AND scanner IN ('credit_card', 'cvv')
ORDER BY timestamp DESC;
Audit Trail
Maintain audit trails for compliance:
- Findings: All alerts with timestamps
- Remediation: Actions taken on findings
- Coverage: Endpoints monitored
Export from OSQuery or configure SIEM to retain.
Disaster Recovery
Backup
Back up critical data:
- Configuration files (
/etc/aquilon-dlp/) - SQLite database (cache)
- MDM profiles and packages
Recovery
Single endpoint recovery:
- Reinstall via MDM or manual deployment
- Deploy configuration
- Verify service running
Fleet-wide recovery:
- Verify MDM profiles and packages available
- Trigger reinstall via MDM policy
- Monitor deployment dashboard
Version Rollback
To roll back a problematic update:
- Upload previous version to MDM
- Deploy to affected endpoints
- Monitor for issues
Support
Enterprise Support Channels
- Email: support@aquilonsecurity.com
- Portal: https://portal.aquilonsecurity.com
- Emergency: Per your license agreement
Support Response Times
| Priority | Response Time |
|---|---|
| Critical (P1) | 4 hours |
| High (P2) | 8 hours |
| Normal (P3) | 24 hours |
Providing Logs
When contacting support, include:
macOS:
# Collect logs
tail -n 500 /var/log/aquilon-dlp/stderr.log > dlp-logs.txt
# System info
system_profiler SPSoftwareDataType >> dlp-logs.txt
# FDA status
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT * FROM access WHERE client LIKE '%aquilon%';" >> dlp-logs.txt
Linux:
# Collect logs
sudo journalctl -u aquilon-dlp -n 500 > dlp-logs.txt
# System info
uname -a >> dlp-logs.txt
cat /etc/os-release >> dlp-logs.txt
# Service status
systemctl status aquilon-dlp >> dlp-logs.txt
Next Steps
- Configure policies: See Policy Frameworks
- Set up monitoring: See Monitoring
- Review compliance: See Compliance