Posture checks using osquery

[bengcooper]

osquery Is a system instrumentation framework which support Windows, macOS, and Linux, which presents system analytics as a relational database and allows you to explore it using SQL queries.

As an example, the following query would allow you show you primary disks that are unencrypted on a Linux machine (copied from the project homepage):

SELECT * FROM mounts m, disk_encryption d
WHERE m.device_alias = d.name AND m.path = "/" AND d.encrypted = 0;

With a small modification, this query can be turned into once which returns a boolean result if there are no unencrypted primary disks:

SELECT 1 FROM mounts m CROSS JOIN disk_encryption d
WHERE m.device_alias = d.name AND m.path = "/" AND d.encrypted = 0;

I think this approach could pair fantastically with OpenZiti's posture checks. My idea/feature request is that osquery queries can be added as a type of posture check which are than ran and verified on the client.

[andrewpmartinez]

This is an interesting integration. I did a quick once-over of the project's documentation.

1) This requires a daemon to be installed on the endpoint devices 2) Failure to install or have the daemon running would result in Posture Check failures as queries couldn't be run 3) This would require some configuration for OpenZiti SDKs to connect to the daemon 4) Queries must be stored/configured via the Management API to be enforced as Posture Checks. 5) The new posture check type(s) must be synchronized and supported on Routers and SDKs.

I am curious to know how mature the project is as it is my first time learning about it. Specifically, I need to find out how version-sensitive their data/schema is. Since they are using SQL, I assume that the SQL portion has low volatility.

Any thoughts or feedback on the above would be appreciated.

We are currently working on multiple controller high availability and other big efforts that take up most of the 2024 calendar. I do not know if or when this would be worked into the schedule. At this time I do believe it is worth mulling over the cost-benefit.

[bengcooper]

Thanks for the comments, I appreciate you taking the time to have a skim.

My personal assessment is that that osquery is a mature project - it was originally developed by Facebook in 2014, and became a Linux Foundation project in 2019. It's all under Apache 2.0 or GPL 2 license, and it also a core component of multiple commercial products including Fleet MDM (which partially inspired this feature request) and Kolide.

Skimming the project's changelog, it appears that deprecations and removals of existing tables/schemas aren't a common occurrence so I would say it appears to be fairly stable in that regard.

What I've gathered from the documentation is that you'd need to author an extension which can communicate with an osquery process over a local Thrift socket. Provided you have root/admin permissions it seems that you could execute an interactive/non-daemon instance, do the queries, and then terminate the process, possibly avoiding the need to have the daemon running in the background (it appears to be more geared for periodically running pre-configured queries and collecting/uploading logs).

I totally understand you have a number of other priorities - I had a chat with one of your team the other week and then saw the open issues for other posture checks so thought I'd throw the idea out there!