[MacTUG] Proactive Mac Security: osquery

m3griffi m3griffi at uwaterloo.ca
Tue Jan 31 11:29:03 EST 2017 

"""
osquery does not need to know everything about a system. You can disable 
tables (collections of data in sql parlance,) from being accessed to 
ensure you aren?t collecting information you don?t want, like 
environment variables a developer might leak credentials into. And the 
product doesn?t even collect browser histories, which incident response 
will need to pull an image of the affected drive to access. That being 
said, what it can access are the most common indications of compromise: 
browser extensions, launchd jobs, applications stuffed out of sight, and 
other ways badware tries to get persistence on a Mac. It can also 
overcome a blind spot in the ?periodic run? inventory tools: what 
happens if an event occurs in between the interval that it?s scheduled 
to collect this data? osquery overcomes this with tables whose names end 
in ?_events?, which leverage system frameworks for high-priority data 
types. These have the capability of essentially ?streaming? the actions 
it?s configured to pick up on in real-time when using the osqueryd daemon.

Another way it can be less naive than other systems like xprotect is its 
support for file integrity monitoring(FIM) ? other tools that are based 
on the presence of definitions must find an exact match to be 
?known-bad?. FIM can help you work in reverse by reporting on known good 
files at certain paths, so you don?t have to trust file names at certain 
paths in order to tell everything is as you?d expect it to be. Many 
pieces of malware hide in plain sight by choosing names that will be 
overlooked by casual inspection. Being able to collect fingerprints on 
files you don?t recognize or DON?T match as-of-yet known-bad files means 
you can do your own research without actually pulling the artifact off 
the affected machine. Apple?s future push towards adopting xip files and 
DMG signing instead of zip?s will help extend this chain of trust to the 
distribution step as well. osquery can also stream DMG mount events so 
you can trace the path from a benign-looking filedropper to the actual 
infected application.

In this way osquery can watch the fence-jumping and give you the 
historical play-by-play of what is occuring ? if a new launchd shows up 
after a DMG mount event, your chain of cause and effect is captured way 
before VirusTotal can scrape up enough strikes for the AV vendors to 
wake up about that particular strain of an infection.

Finally, one of the built-into-the-core features of osquery is the 
ability for it to both receive configs over https and send the results 
of queries over the wire as well. And a newer table (this is going to 
BLOW YOUR MIND) can parse Apple System Log ? perhaps obviating the need 
for most log aggregation and shipping. Not only can osquery gather its 
own criteria, but it can also send scraped data from other logs! I hope 
this dipping-of-a-toe into osquery has piqued your interest. In addition 
to the U of Utah presentation above, I gave talks on leveraging osquery 
from python for Philly Mac Admins, and a more? ?entertaining? intro at 
MacDevOps YVR.

https://www.afp548.com/2016/08/23/proactive-mac-security-osquery/
"""

macos

More information about the MacTUG mailing list