3 useful ways osquery can help with security compliance
You may not realize it, but osquery can make security compliance a little easier.
Justin Mitzimberg, senior security engineer at Uptycs, explored osquery’s surprising and practical compliance capabilities in his talk at the 2020 osquery@scale event.
“What osquery can do is give you point-in-time attestation to your policies or point-in-time attestation to a specific benchmark,” Justin noted in his presentation. “If you collect all those point-in-time attestations, you can then do audit-time evidence gathering. When an auditor comes and goes, ‘prove it,’ osquery can help you do that.”
The following osquery security compliance tips are drawn from Justin’s talk, which you can see in full at the bottom of the post.
Sign up to get notified about the next osquery@scale event. Details on the 2021 edition are coming soon.
Address the “point in time” problem with osquery
You run queries. You collect and store the data. That’s good, but there’s still a “point in time” issue you’ll need to address.
“If you go back to look at those queries, all the dates and information that you see represent a snapshot of that particular moment in time,” Justin said. If you want to run a report on that data, you—or an auditor—will have to perform a lot of date math, he noted. “You’ll need to do a bunch of backend processing to determine whether what you’re seeing was valid or not at the time.”
With osquery, you can write your queries to handle date logic now so you don’t have to do it later. “By doing this we've done all of the determining whether something is compliant at that particular point in time inside the query and storing that in the central repository,” Justin said. “So now all we have to do is look at that repository for that machine and the compliance data shows that it was compliant at the time of the scan.”
In the following example, which checks to see if Apple software is up to date, the date logic is included in the query:
SELECT DISTINCT '1.1' AS cis_id, key, datetime(value, 'unixepoch') AS value, CASE WHEN date ('now') - value < ( 30 * 86400 ) THEN 'TRUE' ELSE 'FALSE' END compliant FROM preferences WHERE domain = 'com.apple.softwareupdate' AND key = 'LastFullSuccessfulDate';
Osquery + YARA = A kind of DLP
GDPR requires organizations to control their data—both where it sits in their systems and where it’s being processed. Companies often turn to data loss prevention (DLP) products to meet this requirement.
There’s another option. Combine osquery, file integrity monitoring (FIM), and YARA and you’ve got a “kind of DLP,” Justin said. Using YARA and osquery together allows for targeted scanning that spots issues while minimizing resource usage.
“YARA is basically a way to search files for strings, so if you have pieces of sensitive information that you know exist in your environment, you can create YARA rules for those pieces of sensitive information and then run them against your entire enterprise to find out where those things exist,” he said.
Scan your Wi-Fi networks with osquery and Macs
Organizations should scan their Wi-Fi networks frequently to stay on top of compliance requirements. “That usually means your networking people are running around with a laptop looking rather frantic, trying to determine if something is supposed to be there or not,” Justin said.
All that running around may not be necessary if you’re using osquery.
“All you need is a bunch of Apple computers in your environment, because osquery has the
wifi_survey table,” he said. “This gives you the ability to use Wi-Fi survey mode in all your Macs. You’ll be able to scan pretty much anywhere in your organization. You can do this at whatever frequency you want, and collect that information centrally. You can then provide that information to your auditor when they ask for it.”
Learn more about osquery and security compliance
Watch Justin's full talk from osquery@scale (below) for more tips on using osquery to meet compliance requirements.
- Osquery: What it is, how it works, and how to use it
- Uptycs case study: Cloud/server workload protection and FedRAMP certification