[MacTUG] Proactive Mac Security: osquery

Marlon A. Griffith m3griffi at uwaterloo.ca
Tue Dec 20 09:55:00 EST 2016 

An impressive overview of where it can be used.

enjoy,
Marlon
-------------

"""
osquery does not need to know everything about a system. You can disable
tables (collections of data in sql parlance,) from being accessed to
ensure you aren?t collecting information you don?t want, like
environment variables a developer might leak credentials into. And the
product doesn?t even collect browser histories, which incident response
will need to pull an image of the affected drive to access. That being
said, what it can access are the most common indications of compromise:
browser extensions, launchd jobs, applications stuffed out of sight, and
other ways badware tries to get persistence on a Mac. It can also
overcome a blind spot in the ?periodic run? inventory tools: what
happens if an event occurs in between the interval that it?s scheduled
to collect this data? osquery overcomes this with tables whose names end
in ?_events?, which leverage system frameworks for high-priority data
types. These have the capability of essentially ?streaming? the actions
it?s configured to pick up on in real-time when using the osqueryd daemon.

Another way it can be less naive than other systems like xprotect is its
support for file integrity monitoring(FIM) ? other tools that are based
on the presence of definitions must find an exact match to be
?known-bad?. FIM can help you work in reverse by reporting on known good
files at certain paths, so you don?t have to trust file names at certain
paths in order to tell everything is as you?d expect it to be. Many
pieces of malware hide in plain sight by choosing names that will be
overlooked by casual inspection. Being able to collect fingerprints on
files you don?t recognize or DON?T match as-of-yet known-bad files means
you can do your own research without actually pulling the artifact off
the affected machine. Apple?s future push towards adopting xip files and
DMG signing instead of zip?s will help extend this chain of trust to the
distribution step as well. osquery can also stream DMG mount events so
you can trace the path from a benign-looking filedropper to the actual
infected application.

In this way osquery can watch the fence-jumping and give you the
historical play-by-play of what is occuring ? if a new launchd shows up
after a DMG mount event, your chain of cause and effect is captured way
before VirusTotal can scrape up enough strikes for the AV vendors to
wake up about that particular strain of an infection.

Finally, one of the built-into-the-core features of osquery is the
ability for it to both receive configs over https and send the results
of queries over the wire as well. And a newer table (this is going to
BLOW YOUR MIND) can parse Apple System Log ? perhaps obviating the need
for most log aggregation and shipping. Not only can osquery gather its
own criteria, but it can also send scraped data from other logs! I hope
this dipping-of-a-toe into osquery has piqued your interest. In addition
to the U of Utah presentation above, I gave talks on leveraging osquery
from python for Philly Mac Admins, and a more? ?entertaining? intro at
MacDevOps YVR.

https://www.afp548.com/2016/08/23/proactive-mac-security-osquery/
"""

macos

More information about the MacTUG mailing list