The process query could reveal a system breach, as attackers often run a malicious process after destroying its binary on disk. The encryption query could reveal information that should be encrypted and isn't, an important consideration for compliance. You can also write queries for discovering primary disks that are unencrypted on a system or processes running without a binary on disk. This is important when performing an audit of a system or investigating a breach. You can use access to that kind of user session data to see where and when specific logins are occurring within your organization's infrastructure. "Instead of having to learn a custom API or custom interface, you can just write SQL queries against tables to retrieve information about systems," Micro Focus' Hoole said.įor instance, a query could be written to flag servers with a root login within a certain time frame. What's more, there's the added benefit that SQL can be used instead of dozens of esoteric system commands with different syntaxes, command switches, and types of output. "Although osquery will never do everything that a security team needs, it gets about 80% of what you need for endpoint insight in one package." "If a developer wants to add new functionality that is not easily added to the osquery core code, they can write and test an extension, and deploy that new functionality alongside osquery in a fraction of the time it would take to get a feature added into a traditional security product," Uptycs' Wilson said. Osquery fans also like the tool's breadth of functionality and ease of customization. "You are only going to be able to find out the kernel modules loaded on a Linux box because the notion of a kernel-loadable module doesn't exist in macOS," Hoole explained. Take, for example, a query written to find kernel-loadable modules. Tables that support SQL queries in osquery can be operation-specific, which can make them operating system-specific, too.
OSQUERY MAC MAC
"There are still a lot things that are easier on Mac and Linux than they are on Windows," 451's Montenegro said.
OSQUERY MAC WINDOWS
Osquery was originally created for macOS and Linux, with Windows support added later, and that has created complications for Windows users. That means you can use an SQL query fashioned for osquery to collect data from Linux, macOS, and Windows.
OSQUERY MAC SOFTWARE
"You can provide one primary interface via SQL for system-level information for multiple operating systems," said Alexander Hoole, head of software security research at Micro Focus. Cross-platform supportĪn especially attractive aspect of osquery is that it works across platforms. Since osquery was designed for companies with newer types of infrastructure, and because it offers an array of benefitsnd those companies find enticing, it is being embraced by businesses that work at scale, including Lyft, Neflix, Etsy, Salesforce, and others. "Most security companies that now offer Mac and Linux are doing it in a checkbox fashion and have only a tiny fraction of the resources devoted to these new operating systems, compared to the vast engineering teams they have working on Windows products." The existing commercial security market was aimed at-and still mostly is-Windows and traditional enterprise infrastructure, said Doug Wilson, director of security for Uptycs, which makes an osquery-based security platform. Most of their servers were running on Linux in public and private clouds, and most of their developers were on Macs. Osquery was born out of the need for a security solution that addressed the demands of companies with cloud-native environments. Here's how osquery can benefit your security team. "Conceptually, it's very simple, but it's very powerful because it takes care of all the plumbing you need to connect to the agent and do authentication." But once that's done, you can make SQL queries to your endpoints.įernando Montenegro, a senior analyst with 451 Research, sums up the value to security teams: Osquery lets you collect operating system information, such as network, memory, service, process activity, and configurations on a scheduled basis, or you can query in real-time with the widely used Structured Query Language (SQL).Īn osquery agent needs to be deployed on your organization's endpoints and servers, and some back-end modifications are required.
Facebook made the tool an open-source project in 2014. Osquery (pronounced OS-kwery) was developed by Facebook to make low-level operating system monitoring on endpoints and servers easier for its security team. One tool that does just that-and that's gaining popularity among DevSecOps practitioners: osquery. Peering into an organization's IT infrastructure in real time is essential to security analysts searching for malicious activity.
0 kommentar(er)
