mike arpaia / facebook osquery: approaching security the hacker way @mikearpaia 

why is openness in security important? 

what's osquery? why is openness in security important? 

what's osquery? why is openness in security important? open source security design decisions 

how can we work together? what's osquery? why is openness in security important? open source security design decisions 

being open 

open source makes life easier 

no secrets are required we can be open in security •secrecy has stifled innovation •little software to help defend against modern attacks •reimplementing the same solutions, poorly •let's do the math 

visualizing attacks and the defenses against them attacker math 101 popularized by Dino Dai Zovi and Dan Guido •attacker will take the least cost path through an attack graph •the juice has to be worth the squeeze https://www.trailofbits.com/resources/attacker_math_101_slides.pdf 

visualizing attacks and the defenses against them attack graphs start overcome obstacle overcome obstacle overcome obstacle accomplish objective 

visualizing attacks and the defenses against them attack graphs start overcome obstacle overcome obstacle overcome obstacle accomplish objective 

visualizing attacks and the defenses against them attack graphs start overcome obstacle overcome obstacle overcome obstacle accomplish objective 

visualizing attacks and the defenses against them attack graphs start overcome obstacle overcome obstacle accomplish objective overcome obstacle overcome obstacle overcome obstacle 

we can alter the path of attackers by altering our defenses 

the future of security will be written in vim it's an engineering problem 

osquery 

an open platform for host instrumentation osquery if you need to collect low-level information from an operating system then you should use osquery •small footprint •rich capabilities •solves real world problems 

SQL for your infrastructure osquery use SQL queries to explore OS state •running processes •loaded kernel modules •active network connections •route table •firewall settings •installed software •much more 

osqueryi 

LaunchDaemons which run a binary at boot 

running processes 

processes listening on ports 

more tables are being written every day many tables are available •acpi_tables •arp_cache •crontab •file_events •kernel_info •listening_ports •logged_in_users •mounts •pci_devices •processes •routes •shell_history •smbios_tables •suid_bin •system_controls •usb_devices •users •groups •rpm_packages •apt_sources •deb_packages •homebrew_packages •kernel_modules •memory_map •shared_memory •browser_plugins •startup_items 

osqueryd 

daemon for low-level host monitoring osqueryd know how the results of a query change over time •schedule a query on your hosts via a config
 •the daemon takes care of periodically executing your queries •buffers results to disk and generates a log of state changes •logs results for aggregation and analytics •run your query in differential or snapshot mode 

event-based operating system introspection host event pub/sub stream subscribe to key OS events to create dynamically growing tables •subscribe to “publishers” •filesystem changes (inotify, FSEvents) •network setting changes (SCNetwork) •query the history of your host, as it evolves 

event-based file integrity logging file integrity monitoring use wildcards to monitor important files on your hosts •/bin/* •/Users/*/Downloads/** 

for config distribution and data infrastructure plugin system •simple plugin API •specify your plugins at runtime with a command-line flag filesystem http zookeeper configuration filesystem flume scribe logging 

design decisions 

lessons learned from MIDAS we knew that we could do better at •exposing capabilities safely •reducing engineering overhead •improving development culture 

the problem exposing capabilities •sharing a capability required sharing the whole module •few example modules were released •dramatically limited the utility of MIDAS 

the solution exposing capabilities SQL allows for simple, flexible analysis •tables allow us to give away the answers without giving away the questions •capabilities can be configured instead of developed 

the problem engineering overhead in MIDAS, capabilities were written in Python •"complex" code to solve simple problems •security people are not programmers 

the solution engineering overhead with SQL, asking a question doesn't require writing complex code •low-level operating system analytics with attention to UEX SELECT address, mac, count(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1; 

the problem development culture open source code was not actively used internally •codebase began to drift •contributions weren't getting pulled in 

the solution development culture we do 100% of our engineering in the open, on GitHub 

fighting together 

and now our watch begins working together to stay safe many different industries are working together •offensive security researchers •defensive security professionals •entrepreneurs in infrastructure/security 

questions https://osquery.io