Title
#kolide
t

Travis

12/15/2020, 8:12 PM
Are there ways to know if a user is trying to spoof OS Query data? What certainties do we have that data collected has not been tampered with. I would guess File integrity monitoring helps here
f

fritz

12/15/2020, 8:15 PM
Very interesting question @Travis, to better answer, could you give me an example of what data might be spoofed?
t

Travis

12/15/2020, 8:17 PM
more of just a general thought about if it could be done. I mean you could always place OS query in a VM and set up whatever you want but I was curious if could catch if folks were trying to adjust the OS query config
f

fritz

12/15/2020, 8:21 PM
I guess I am still trying to understand the proposed attack pattern. Let's break this down into a smaller question and make some basic assumptions to help us narrow the scope. For example: On a macOS device, can the SIP configuration attestation be subverted/spoofed? How is this data collected by osquery today?
SELECT * FROM sip_config;
+----------------------------+---------+---------------+
| config_flag                | enabled | enabled_nvram |
+----------------------------+---------+---------------+
| sip                        | 1       | 1             |
| allow_apple_internal       | 0       | 0             |
| allow_device_configuration | 0       | 0             |
| allow_kernel_debugger      | 0       | 0             |
| allow_task_for_pid         | 0       | 0             |
| allow_unrestricted_dtrace  | 0       | 0             |
| allow_unrestricted_fs      | 0       | 0             |
| allow_unrestricted_nvram   | 0       | 0             |
| allow_untrusted_kexts      | 0       | 0             |
+----------------------------+---------+---------------+
t

Travis

12/15/2020, 8:23 PM
Sure, I'll get some specifics from a dev on our team that felt they could send false data
f

fritz

12/15/2020, 8:23 PM
So @seph probably has some interesting proposed hypotheticals for how this could be spoofed or subverted. The first way I see would be building your own osquery binary from source wherein you modified the underlying table code to hardcode the values, instead of dynamically retrieving them via the normal API calls that the table would make.
8:24 PM
The other variable we would want to control for would be whether the device was running a vanilla osquery agent vs Kolide's prepackaged osquery via launcher.
8:26 PM
Is your question in reference to our SaaS offering K2 or just plain-old vanilla osquery?
t

Travis

12/15/2020, 8:33 PM
SaaS Kolide
terracatta

terracatta

12/15/2020, 9:03 PM
Hi Travis, We did not design our system to be robust against a motivated user who wants to intentionally spoof responses. With that said, am confident that if you were suspicious about tampering by an end-user we could likely work with you to prove the responses were spoofed after the fact.
9:05 PM
If the engineer wants to explain what their plan was to spoof data, I'd love to hear about it though so we can understand their thought process.
t

Travis

12/15/2020, 9:08 PM
Thanks, I'll be sure to pass the details along when I get them. Personally I'm not so worried because if an attacker is coming in I really doubt they will have OS Query installed and be able to property spoof device details well enough to evade our SIEM flagging the actor as suspicious.
terracatta

terracatta

12/15/2020, 9:10 PM
yeah if they have that level of access, i'd imagine they would be doing much more interesting things than that