# osquery office hours 2023-04-11 YouTube Link: https://youtu.be/bGV3_9o29ig ## Announcements and Highlights since the last meeting - Mike at ToB popped in with YouTube Videos, so they've been back populated. Thank you Mike! - 5.8.2 should be stable ## Any Questions / Issues / PRs people want to discuss? The intent of this section is to provide a clear time for community members to bring up _anything_. Broad questions? Bugs? Deployment questions? Blocked PRs? ## Agenda down here ## Experimental features for macOS EndpointSecurity FIM (Sharvil) Background: `open/access` calls tend to cause performance issues mostly on older macOS versions. But there is a strong need for these calls, thoughts on having experimental flags to enable them and having a documented caveat about the issues. One possible usecase is to have a very specific monitoring file opens on sensitive files. Keychain, gh credentials, etc. General support for the functionality. And discussion about how to expose this option. * It has to be configured _before_ the ES starts. So it must be a config or flag, it cannot be in the sql query * General agreement that we should not call it `expirmental` * Given the next item, is this easier if we make this a ventura only feature * If possible, take inspiration from the existing linux configs ### Newer EndpointSecurity path APIs on Ventura Background: Ventura introduced "only monitor these files" APIs, these are really Symbols only present on Ventura, can use `dlopen/dlsym` and doing a bit of runtime checking, this seems to work okay on my machineTM (but I need to test this with codesign/notarization) Similar broad support for this. Discussion about how to support it in the configuration file. As possible unify configs with the [File Accesses (Linux only)](https://osquery.readthedocs.io/en/5.8.2/deployment/file-integrity-monitoring/) ## Curl Table Zach@Fleet discusses that the TLS server certs bundle overrides the the curl table's bundle. seph thinks there's probably _someone_ that depends on the current behavior, but seph is supportive of decoupling these ## Windows Search API ## Look At Open CVS / Security Tickets [List of Issues tagged with Security](https://github.com/osquery/osquery/issues?q=is%3Aopen+is%3Aissue+label%3Asecurity) OpenSSL has 3 vulnerabilities. Stefano says these are about using policies to perform additional verification of certs. We don't think we using it, but Stefano will pick up an update. ## Look at old PRs _(If there's time, we've been trying to re-visit old PRs)_ [Reverse Sorted List of PRs](https://github.com/osquery/osquery/pulls?q=is%3Apr+is%3Aopen+sort%3Acreated-asc) - CI OSes -- https://github.com/osquery/osquery/pull/7984 - https://github.com/osquery/osquery/pull/7956/files - https://github.com/osquery/osquery/pull/7974 - https://github.com/osquery/osquery/pull/7946