SQL powered operating system instrumentation, monitoring, and analytics

https://github.com/osquery/osquery

Jamf - Extension Attribute Dark Arts

I am sure many who may read this blog may already know this, but this isn't for you. This post is for people who don't know the dark arts of extension attributes.

Extension Attributes and Recon

As you should know extension attributes run during recon, and the more recons you run the more times this data is collected. You should also be aware that the more attributes you have, and the more complex they are the slower recon can get. Take it from someone who ran a Jamf server with over 100 extension attributes–recon can become unusable.

So how we can do better?

Well the first thing is you need to make your extension attributes fast. You should be optimizing what you are running and how it's being run to make the attribute as fast as possible. One of the easy button methods is using tools like OSQuery to collect the data you need.

An example of this would be collecting installed Chrome extensions into an extension attribute. You could do this via script, but it's much faster to use OSQuery. See this example.

Another thing to consider is that you have various ways of getting the data into Jamf. You can of course simply have the script run and output a value into the attribute. You can also leave the value in a file that Jamf can collect later. Keep that in mind–we will use it.

This takes us to the real dark art of extension attributes: the delayed attribute. If you have lots of attributes you likely also have attributes that don't need to be run every time.

Fortunately, you have options–just run them as recurring policies on whatever interval makes sense. You can then collect the information from some form of on device file or database during recon at speed.

A note on the database using sqlite3 here is hugely powerful because you can keep a historical log of the value overtime and that can be valuable for troubleshooting. This is not the easiest, but it is very powerful.

The most important thing to note is that you need to have the ability to call these policies–beyond just the recurring event. Here is why: imagine the user deletes your data or something goes wrong–you want to make sure that those values are recaptured.

There are a wide range of ways to do this, but the easy way is to have a policy that runs the script to collect the data which is called by either a policy that runs on a recurring basis or by an immediate run policy to catch things up. You are simply scoping the catch up policy to computers with some consistent "not present" value.

You will note in the example attribute I linked to if it can't run OSQuery it will put "Error" in the attribute field. You can use this and is empty to scope your catch up policy against.

Yes, this is more policies, but now you can have policies run on a non standard interval. Your computation times are relaxed, and if you are clever you don't even have to collect the value on every machine, or all the time.

Do note that if you have lots of these policies, then you will potentially need to run them via an orchestrator script. Sometimes having a single policy that calls the other ones and does dependency checking (discussed later) can be a better experience.

API?

A note on using API calls to write attributes: this is not optimal because you are now passing authentication data around to the endpoints. Nothing in your extension attributes stored on the machine should be sensitive–so by using the API you are introducing more risk. You can of course build some manner of middle-ware etc, but that is beyond the scope here.

The bottom line is thinking about security the data collected needs to be low risk if its being stored in a file, and you don't want to be passing sensitive credentials or keys in your attributes.

Calling Policies in Extension Attributes

Something you may never have considered is that you can actually call a policy from an extension attribute–I have done this. Will this work–yes. Should you do it–absolutely not! You will create all manner of horrible corner cases when you do. Jamf gets very unhappy when you slow recon down, and this will do just that. Furthermore, when you start having multiple Jamf processes nested together things get pretty unstable around level four or five. I have had as many seven layers and it is pretty much hit or miss as to if it works.

At that point you need to build a Jamf process orchestrator, and then at that point you really are going off the deep end most likely and need to bring things back down to earth a bit.

I raise this specter not to encourage, but to head off anyone who thinks this could be the right way to do catch ups on your extension attributes.

Consider the Dependancies

If you have dependencies such as OSQuery etc required for your extension attributes, then each of those tools need rapid working and present extension attributes to make sure your attributes all work. Furthermore, those dependencies should also have corrective actions baked into your delayed run policies.

工具介紹-osquery

說明 osquery是由facebook開發的開源工具，從工具名稱就可看出，主打像取得db資料一樣的取得os資訊。 除了安裝版外，也提供免安裝版。 在進行操作前可以先瞭解osquery所提供的schema。 osqueryi使用 安裝好後使用osqueryi指令進入進行操作interface。 以下以hash schema來示範。對hash schema查詢時，必需使用where來指定檔案，或資料夾。使用資料夾時會回傳資料夾內所有檔案hash值。 osqueryi “SELECT * FROM hash WHERE path = ‘path/to/file’ “ 上面指令可以列出檔案的hash值，並把所有欄位列出。 osqueryi “SELECT * FROM hash WHERE directory = ‘path/to/directory’…

View On WordPress

Uninstall osquery

#UNINSTALL OSQUERY INSTALL#

#UNINSTALL OSQUERY FULL#

#UNINSTALL OSQUERY WINDOWS#

#UNINSTALL OSQUERY INSTALL#

The win_chocolatey module is recommended since it has the most complete logic for checking to see if a package has already been installed and is up-to-date.īelow are some examples of using all three options to install 7-Zip: Using the win_command or win_shell module to run an installer manually. Internal repositories canīe used instead by setting the source option. This sources the program data from the default There are three main ways that Ansible can be used to install software:

#UNINSTALL OSQUERY WINDOWS#

Controlling how Ansible behaves: precedence rulesĪnsible can be used to orchestrate a multitude of tasks on Windows servers.īelow are some examples and info about common tasks.

Virtualization and Containerization Guides.

Controlling playbook execution: strategies and more.

Executing playbooks for troubleshooting.

Validating tasks: check mode and diff mode.

Discovering variables: facts and magic variables.

Working with language-specific version managers.

Controlling where tasks run: delegation and local actions.

Understanding privilege escalation: become.

Replace the, "sql" : "SELECT name, version, path FROM users JOIN firefox_addons USING (uid) ", "last_run_create_time" : "T12:30:00.000Z", "next_run_time" : "T12:30:00. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.Īvailable on majority of environments Use the Carbon Black Cloud Console URL, as described here.

All API calls require an API key with appropriate permissions see AuthenticationĪuthentication Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Ĭarbon Black Cloud Managed Identity and AuthenticationĬustomize your access to the Carbon Black Cloud APIs with Role-Based Access Control All APIs and Services authenticate via API Keys.

#UNINSTALL OSQUERY FULL#

For a full list of supported Sensor versions and OSs, click here.

Note: For returning users, three sub-fields inside device_filter named: device_ids, policy_ids, and device_types, have been deprecated in favor of device_id, policy_id, and os, respectively.

Support for Windows, Mac, and Linux sensors.

Fine-tune automated queries per your specific needs with the broad range of Recurrence Rules.

Use Templates to automate your security and IT hygiene further.

Use Live Query Extension Tables for further insight into the Carbon Black Cloud sensor.

Get SQL query recommendations created by Carbon Black security experts.

Live Query is powered by, an open-source project that uses an SQLite interface. With Live Query, you can ask questions of endpoints and quickly identify areas for improving security and IT hygiene by using recommended SQL queries created by Carbon Black security experts or by crafting your own. This document describes the Live Query API - formerly called CB LiveOps. It contains three components Live Response, Live Query, and Differential Analysis. Audit and Remediation is a real-time query and remediation solution that gives teams faster, easier access to audit and change the system state of endpoints across their organization.

Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and...

Forwarded from Pentesting News

Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells) https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ Hunting for Persistence in Linux: Part 3 - Systemd, Timers, and Cron https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron Part 4 - Initialization Scripts and Shell Configuration https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration Part 5 - Systemd Generators https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators #Offensive #security #cybersecurity #infosec

Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery, and Webshells - pepe berba An introduction to monitoring and logging in linux to look for persistence.

Docker and osquery

If you are into security you might have heard about osquery. It is extremely powerful tool that can be used for various purposes:

Real time endpoint monitoring

Anomaly detection

File integrity monitoring

Metrics (prometheus)

Container (docker) monitoring

syslog aggregation

…

Numerous enterprises big and small from all verticals are using it, or planning on using it. It is being deployed to…

View On WordPress

CVE-2022-24841

fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue. source https://cve.report/CVE-2022-24841

Osquery: An sqlite3 virtual table exposing operating system data to SQL

https://osquery.io/

via Twitter https://twitter.com/releaseteam

利用 Linux command 取得檔案 hash 值

利用 Linux command 取得檔案 hash 值

hash 值是經過特定的演算法，取得資料的唯一值，是不可逆的函數，也就是說無法利用 hash 值來回推原本的檔案內容。利用 hash 值的特性可以用來判斷檔案是否有異動，比較是否為相同的檔案。之前介紹了 Windows 中取得檔案 hash 值的方式。在這邊列出幾個 Linux 上取得 hash 值的指令。 md5sum 使用 md5sum 取得檔案的 MD5 值。 sha1sum 用 sha1sum 取得檔案的 SHA1 值。 sha256sum 使用 sha256sum 取得檔案的 SHA256 值。 結論 利用上述提到的幾個指令，可以產生檔案 hash 值，整體來說算簡單好記。指令加上 file path 即可。 延伸閱讀 PowerShell-取得檔案hash值 小知識-產生檔案 hash 值的方式 工具介紹-osquery 參考資料 wiki: Hash_function

View On WordPress

Malware Analysis using Osquery | Part 2

http://dlvr.it/QjKYBj #blockchain

osquery

[Media] ​​Security Onion 2.

​​Security Onion 2.3 Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, and case management. It also includes other tools such as Playbook, osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek. https://github.com/Security-Onion-Solutions/securityonion

osquery - システム情報をSQLで取得

from http://www.moongift.jp/2019/08/osquery-%e3%82%b7%e3%82%b9%e3%83%86%e3%83%a0%e6%83%85%e5%a0%b1%e3%82%92sql%e3%81%a7%e5%8f%96%e5%be%97/

ターミナル操作をしていてシステム情報を知りたいと思うことがよくあります。時���しか使わないコマンドだと、その度に使い方や出力を調べたりするのではないでしょうか。各コマンドはそれぞれ使い方が違うので、組み合わせて使うのも面倒です。

そこで使ってみたいのがosqueryです。システム情報を調べるのにSQLを使えるようになります。

osqueryの使い方

ユーザの一覧を出します。

osquery> SELECT uid, username FROM users; +------------+------------------------+ | uid | username | +------------+------------------------+ | 83 | _amavisd | | 263 | _analyticsd | | 55 | _appleevents | | 260 | _applepay | | 87 | _appowner | | 79 | _appserver | | 33 | _appstore |

クエリなので、ジョインも使えます。ポートを調べています。

osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid ...> FROM listening_ports JOIN processes USING (pid) ...> WHERE listening_ports.address = '0.0.0.0'; +----------------------+-------+-----+ | name | port | pid | +----------------------+-------+-----+ | loginwindow | 0 | 121 | | assistantd | 0 | 435 | | Dropbox | 17500 | 471 | +----------------------+-------+-----+

MACアドレスと、そのカウントを取っています。サブクエリを使えます。

osquery> SELECT address, mac, mac_count ...> FROM ...> (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac) ...> WHERE mac_count > 1; +-----------------+-------------------+-----------+ | address | mac | mac_count | +-----------------+-------------------+-----------+ | 255.255.255.255 | ff:ff:ff:ff:ff:ff | 2 | +-----------------+-------------------+-----------+

osqueryが面白いのは、その構造をドキュメントにしておくことで、osqueryを通して自由に情報を取得できるようになることでしょう。SQLであれば大抵の開発者が知っていますので、情報の取り出しがとても簡単になるはずです。サーバにインストールしておくと色々捗りそうです。

osqueryはC++製のオープンソース・ソフトウェア（ライセンスはGPLとApache License 2.0のデュアルライセンス）です。

osquery/osquery: SQL powered operating system instrumentation, monitoring, and analytics.

@TheHackersNews : Malware Analysis Using Osquery [Part 1] https://t.co/T8aglGLJLv Learn how to analyze different malware families, types of events generated on the endpoint and use Osquery to detect them. https://t.co/aryxMfc4gO

Osquery: SQL powered operating system instrumentation, monitoring, and analytics

https://github.com/osquery/osquery Comments