Hi, I was thinking in writting an extension to encrypt portions of the information but I’m not exactly sure what’s the best approach. The idea was to encrypt certain columns of certain tables, so I thought when the queries run in the hosts and the information is sent, maybe a custom logger could be the best. Other idea was to create a custom table just to encrypt input information (select ciphertext from encrypter where cleartext=abc and key=def). If anyone know about existing projects or articles about osquery + protecting sensitive information, please share. thanks
02/03/2020, 4:45 PM
You have concerns about the data being readable while in your logging pipeline?
I'd like to hear more about what the concerns are, but my instinct would be that if you really need to encrypt the data before logging it, you're best doing so within a custom logger plugin.
02/03/2020, 5:35 PM
the way folks have solved this kind of issue is by restricting access to log data on the server, and specifying ACLs for who has visibility into specific log buckets
as far as encryption, osquery encrypts all data it transports to a server
02/04/2020, 10:11 AM
well, the concerns were more on the lack of role/permissions to access this information (if doing live queries) and how to store it more safely (for the scheduled/pack scenario). We can always encrypt the osquery results log file and add some more controls from there before it leaves fleet server
02/04/2020, 5:20 PM
Authorization around live queries is something I've looked at adding into Fleet (get in touch if you are interested in sponsoring this work). For the log file, I'd think you are best off controlling the access to the Fleet server and logging pipeline, but it could probably be possible to encrypt fields in the logs using Logstash or some other tooling before shipping it off.