https://github.com/osquery/osquery logo
Join Slack
Powered by
Are fleetd/osqueryd protected processes? <https://...
# fleet
m
z
No. Osquery has never made any effort towards doing this. On most systems this has historically meant being a kernel extension which comes with its own security and stability concerns. On macOS these days it might be possible to do something with the endpointsecurity framework?
m
Got it. @sharvil any ideas? This would be a great thing to document in a FAQ so we can link folks (comes up from time to time- not often, but enough that I’ve always just forgotten the answer)
s
(I can’t see the linkedin post because I don’t have linkedin) but.. 
Protected Process
is windows specific, which I believe means it’s “code-signed” (iirc windows calls it 
CodeIntegrity
) which makes it harder to tamper and hook into the process. On macOS code-signatures are quite heavily used, and 
osqueryd
is code signed, notarized, and we have enabled 
hardened runtime
on it. These all make it quite tamper-proof on macOS
z
Ah I was interpreting it as a process that can't be terminated
s
The 
SystemExtension
part of EndpointSecurity on macOS, gives it a higher boot priority (and I believe harder to kill the process) — this is something we don’t do now for osquery (requires another entitlement, and moving 
<http://osquery.app|osquery.app>
to /Applications)
I believe the osquery foundation has the system extension entitlement granted, so it is something that can be done in the future
j
I love this discussion. I'd really be interested to see 
orbit
and/or 
osqueryd
move into the "Anti-Tampering" style of process
m
fyi @Mo Zhu
Open in Slack
PreviousNext
Powered by