In this example, we have a Linux server running with a Docker daemon. We will now switch to a practical example to demonstrate how osquery can help us audit some Docker container security flaws. This will make results more meaningful and help apprehending how osquery works. 📌 For the following part of this post, I highly recommend to have Docker and osquery installed on your workstation in order to try the examples on your own OS. This innovative approach allows use of SQL to select, filter and aggregate data about the operating system and its surrounding components using one single query language. OS concepts such as users, network routes, CPU’s and Docker containers are exposed as tables which can be queried. The osquery framework exposes your operating system as a relational database on which you can perform SQL queries to find specific data about your system.
#Osquery mac free#
📌 If you are already familiar with osquery, feel free to skip to the next chapter “Houston, we have a vulnerable container” to start with practical examples. Using osquery, we will query the Docker daemon like a relational database and quickly identify these security flaws. An attacker who exploits application vulnerabilities in the container could use this lack of restrictions to access to the host or other servers on your network. Added the block_size column to both tables.When running containers in production with Docker, bad configurations can easily lead to vulnerable environments: privileged containers, processes inside a container that are running with the root user or lack of AppArmor profiles for security restrictions are some common examples. Made this choice because Linux was already providing in block size, while the Darwin implementation was meaningless. I changed it to actually use the CFNumberType of the number.Īfter fixing the Darwin implementation, I decided to return that in block sizes as well, to maintain consistency with the Linux implementation.
#Osquery mac series#
Apparently it was hard coded it as a kCFNumberIntType somewhere in a series of nested method calls. I saw that there were checks for what type of CFNumber it was, but for some reason it wasn’t getting caught.
#Osquery mac 32 bit#
houston, we have a truncation errorĬonverted it to a 32 bit int in ruby, and it confirmed that was the issue. Immediately noticed the type = kCFNumberSInt64Type. The first dictionary printed, which would be /dev/disk0. Running diskutil info -all locally I found that I hadĭisk Size: 251.0 GB (251000193024 Bytes) (exactly 490234752 512-Byte-Units) That’s when I became suspicious of a truncation error.
#Osquery mac code#
Found some code on StackOverflow to print this dictionary, and turns out it was indeed returning the correct number. It was difficult to figure out what it was doing at the system level, but the documentation pointed me to a dictionary CFMutableDictionaryRef that contained something for the key Size. (I learned in C you can have opaque structs with hidden definitions) opaque structs are no fun I asked around for help, and we eventually found the Apple open source header for the method we needed to dissect. Took a look at the Darwin implementation, and found that it was using a bunch of IOKit stuff I had no idea about. Curious to see if the issue was persistent, I ran it on my mac, and found that it was also inaccurate. When I went to fix the Linux implementation and add the column, I saw that there was also a Darwin implementation.
#Osquery mac Patch#
I hard coded it into my code and decided to submit a patch to osquery to fix the issue and also add a column to the block_devices table for device block_size. Turns out, despite the documentation stating this was returning in bytes, it was actually returning by block size in this case 512. It’s historically 512 bytes (but it can differ) because of the physical notion of a sector on a disk. The basic data primitive in computing storage is the byte– however, many storage devices perform I/O operations in larger units (the block size) for efficiency reasons. But what is 512, anyway? What is block size? It seemed illogical to have a disk that small, so I looked up the actual disk size using sudo fdisk -l on that host, and it was 300 GB (299966445568 bytes.) I’d been collecting data for about 2 weeks, when I changed the UI to showing human-readable numbers, and noticed the total disk size for a host was 0.58 GB (585871964 bytes). Finding the miscalculations small linux disk sizes? It’s been incredibly useful for monitoring various stats, and the SQL interface makes it easy to use. Over the course of the summer I’ve been working on integrating osquery results into our internal asset tracker for automation/validation purposes. Osquery is an an open source tool by Facebook that provides a SQL interface for system information.
0 kommentar(er)
