What is osquery? Expose system information via "SQL tables" users, groups installed packages, kernel modules network communication, file system events Runs scheduled queries of tables
What problems can osquery solve? Single tool for finding system information Easy to merge information from information sources Results presented in multiple parsable format
osqueryi osqueryd osquery's Daemon Tool Useful for continuous detection Schedules and runs pre-set queries and writes them to a logger Takes some setup (we'll get to that) Out of the Box Tools
osqueryi osqueryd osqueryctl osquery's System Control Tool Turns osqueryd on, gets status, turns it off, etc Takes care of system specific stuff (like LaunchAgents, which aren't fun) Out of the Box Tools
Advanced Syntax Breakdown Get the name & and path data From the Kernel Extensions virtual Table Where the name field doesn't start with SELECT name, path FROM kernel_extensions com.apple WHERE name NOT LIKE 'com.apple%'
Advanced Query What it means? Get the name & path about any loaded OSX Kernel Extensions that were not created by Apple SELECT name, path FROM kernel_extensions WHERE name NOT LIKE 'com.apple%';
Joins This is sql syntax after all: What it means? Get the uid and name from any process with an open listening socket SELECT uid, name FROM listening_ports l, processes p WHERE l.pid=p.pid;
Real World Query Examples Detects LoginWindow Persistence Mechanism Detect RAT used by Hacking Team Detect the Careto Malware LaunchDaemon select key, subkey, value from preferences where path = '/Library/Preferences/com.apple.loginwindow.plist'; select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_package_type like 'OSAX'; select * from launchd where path like '%com.apple.launchport.plist';
Yara The pattern matching swiss knife for malware researchers A pattern matching syntax for identifying malware osquery can be configured to compare changed files to a set of Yara sigs This is a beta feature at this time
Yara Start by setting up the file paths you want to watch just as before "file_paths": { "binaries": [ "/usr/bin/%%", "/usr/sbin/%%", "/bin/%%", "/sbin/%%", "/usr/local/bin/%%", "/usr/local/sbin/%%", "/opt/bin/%%", "/opt/sbin/%%" ] }
Yara Then tell osquery which files contain Yara sigs Note the key, "binaries" has to be one of the file paths "Yara": { "signatures": { "group_1": ["/path/file1.sig", "/path/file2.sig"], "group_2": ["/path/file2.sig", "/path/file3.sig"] }, "binaries" : ["group_1"] }
osquery.conf JSON configuration file holds the scheduled queries file paths to monitor read from local filesystem or https osqueryd Configuration
osquery.conf osquery.flags configures osquery administration where do logs go where is the pidfile where to find JSON config file osqueryd Configuration
Managing Intelligence with Packs osquery query packs are groups of queries to be added to the osquery schedule Lets you group queries for easier management and distribution Basically a specialized osquery.conf
Why Packs? Make use of included intelligence & management Share and collaborate on intelligence Overall easier management without an unwieldy osquery.conf
Building Your Own Packs Basic Template (stolen from osquery.io/docs/packs) Extend and add queries to your 's content! { "platform": "darwin", "version": "1.1.17", "queries": { "example_query": { "query": "select * from kernel_extensions;", "interval": "86400", "description": "Identifies a systems kext files", "value": "Kext's are a common OSX malware persistence mechanism" } } }
cgroups Control Groups: a feature of the Linux kernel LXC uses cgroups to do it's work Allows you to segment a group of processes into their own process space or file system
cgroups Root cgroup - everything runs here by default everything gets 1000 cpu shares smallest you can provide is 2 shares set up during init script
How Heroku is Using osquery Only on the servers Our environment is very uniform Look for things that are not uniform Lookup IOCs just to get a heads up
How GitHub is Using osquery Very very very work in progress osquery on OSX laptops hunting known IOCs osquery on Linux servers hunting known IOCs, anomalies, and doing auditing
Deploying osquery on OSX Deploy the osquery package (or a custom version) Set and/or Start osqueryd Figure out how to collect logs (or don't!) osquery.conf osquery.flags
Configuring Many Endpoints Earlier mentioned that tells where to find config file That config file can come from an https server osquery.flags osqueryd
Windmill Open source Ruby TLS Configuration Endpoint Get it now on at heroku/windmill Organizes endpoints into Configuration Groups Enables intelligent endpoint management
sroberts
mosa_siru
taichinakamura
shibuiwilliam
k1low
rilmayer
coconala_engineer
yukimatsuyoshi
h1kita
toshi0383
sat
palark
jasonvnalue
malarkey
tammyeverts
soudai
mclloyd
bkeepers
reverentgeek
jmmastey
lynnandtonic
erikaheidi
kneath
moore