Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Travis
12/15/2020, 8:12 PMAre there ways to know if a user is trying to spoof OS Query data? What certainties do we have that data collected has not been tampered with. I would guess File integrity monitoring helps here
f
fritz
12/15/2020, 8:15 PMVery interesting question @Travis, to better answer, could you give me an example of what data might be spoofed?
t
Travis
12/15/2020, 8:17 PMmore of just a general thought about if it could be done. I mean you could always place OS query in a VM and set up whatever you want but I was curious if could catch if folks were trying to adjust the OS query config
f
fritz
12/15/2020, 8:21 PMI guess I am still trying to understand the proposed attack pattern. Let's break this down into a smaller question and make some basic assumptions to help us narrow the scope.
For example:
On a macOS device, can the SIP configuration attestation be subverted/spoofed?
How is this data collected by osquery today?
SELECT * FROM sip_config;
+----------------------------+---------+---------------+
| config_flag | enabled | enabled_nvram |
+----------------------------+---------+---------------+
| sip | 1 | 1 |
| allow_apple_internal | 0 | 0 |
| allow_device_configuration | 0 | 0 |
| allow_kernel_debugger | 0 | 0 |
| allow_task_for_pid | 0 | 0 |
| allow_unrestricted_dtrace | 0 | 0 |
| allow_unrestricted_fs | 0 | 0 |
| allow_unrestricted_nvram | 0 | 0 |
| allow_untrusted_kexts | 0 | 0 |
+----------------------------+---------+---------------+t
Travis
12/15/2020, 8:23 PMSure, I'll get some specifics from a dev on our team that felt they could send false data
f
fritz
12/15/2020, 8:23 PMSo @seph probably has some interesting proposed hypotheticals for how this could be spoofed or subverted.
The first way I see would be building your own osquery binary from source wherein you modified the underlying table code to hardcode the values, instead of dynamically retrieving them via the normal API calls that the table would make.
The other variable we would want to control for would be whether the device was running a vanilla osquery agent vs Kolide's prepackaged osquery via launcher.
Is your question in reference to our SaaS offering K2 or just plain-old vanilla osquery?
t
Travis
12/15/2020, 8:33 PMSaaS Kolide
t
terracatta
12/15/2020, 9:03 PMHi Travis,
We did not design our system to be robust against a motivated user who wants to intentionally spoof responses.
With that said, am confident that if you were suspicious about tampering by an end-user we could likely work with you to prove the responses were spoofed after the fact.
If the engineer wants to explain what their plan was to spoof data, I'd love to hear about it though so we can understand their thought process.
t
Travis
12/15/2020, 9:08 PMThanks, I'll be sure to pass the details along when I get them. Personally I'm not so worried because if an attacker is coming in I really doubt they will have OS Query installed and be able to property spoof device details well enough to evade our SIEM flagging the actor as suspicious.
t
terracatta
12/15/2020, 9:10 PMyeah if they have that level of access, i'd imagine they would be doing much more interesting things than that
➕ 1