# osquery office hours 2023-10-24 YouTube Link: https://youtu.be/_aCPHA48QRg ## Announcements and Highlights since the last meeting - New meeting link - 5.10.2 is in beta ## Any Questions / Issues / PRs people want to discuss? The intent of this section is to provide a clear time for community members to bring up _anything_. Broad questions? Bugs? Deployment questions? Blocked PRs? ## Agenda down here ## 5.10 5.10.1 had an issue around macOS FIM and mute paths. Sharvil fixed it, and we cut 5.10.2. Do we think 5.10.2 is stable? 5.10.2 is a small patch on 5.10.1, low risk. Zach is absent, but says on slack: > Can say that fleet has had the release deployed to beta and we endorse promoting it Chris, who found the issue, has been running 5.10.2 and seen no issues Kolide has them running on their test fleet. No issues seen yet. ## YouTube Update Mike (and Stefano) and moving the videos from the ToB hosted channel to the osquery youtube channel. There are some rate limits, so it's a little slow. But it's moving. New Channel is https://www.youtube.com/channel/UCSKksdLBVSeQ0e7B795GANQ Playlist is https://www.youtube.com/playlist?list=PL2d_qqlJYj0VzoqnhZ9fTcU-09ZwYM9y7 Outside the playlist, they may not be in chronological order. ## Anyone seeing issues with Sonoma Sounds like both Sharvil and seph have poked around, and not seen anything _But_ there has been a flakey test for awhile around parsing an ALF firewall. Maybe for a couple releases? There's a [saved artifact](https://github.com/osquery/osquery/blob/master/tools/tests/configs/test_alf.plist), but there test might be reading the system one, and ignoring the artifact. This is https://github.com/osquery/osquery/issues/7433 ## osquery in the world * objective by the sea * do we want to increase market share? What would that even mean? * What are our use cases? * What should we build experimental features for? Is there a new thing? Sharvil was at Objective By the Sea, and people were appreciative of osquery. Mostly vendors, but also some individuals. What are the people we see using osquery? 1. Vendors that sell osquery based tools (ie: Kolide, Fleet, ToB, Microsoft, Elastic, etc...) 2. Individuals who just get into it. Security people, curious 3. Vendors that have private solutions, and they often look to osquery as a reference for how to solve some problems 4. osquery good for live investigating during anomalous events Gaps in osquery: - osquery is read only. No write or remediation support + Extensions can support remediation efforts + But what's the server side of this? How do you connect detect to remediate + Santa? Endpoint Security Authorization? - mostly public APIs, missing some private data + An example: BTM -- background task management. There's a DB, but the APIs are private. + Extensions not an obvious fit. People don't always have the time/commitment. And deployment is harder. - "Why don't we support things on day zero" + Apple is very secrative, we don't get forwarning + osquery is a volunteer project, are people willing to fund that kind of work When we want to implement something new, we're bounded by the vision and scope of the project. We don't have a super clear one, so there are things that feel mushy. - Many of our tables are "inventory" style, and osquery works well for that. But we also have events, and those don't fit well - We could innovate, but we're held back by a lack of user stories - We decided to back away from forensics, for example - What if we had osquery explained really well. Could we then innovate better? - Events are often sought after, but these are very hard to handle inside osquery + osquery generally thinks we want to use sql here, which precludes some optimizations + joining event streams is often a bad idea -- osquery just isn't made for it. There are timing issues, and complex logic. Generally it's better to just capture as much as possible. Use an accepted schema, and then capture it all. This is a counter-argument to the sql power for evented tables - Maybe we do too much? - Containers are an entirely different story. + But what would it mean for us to do that? is it our use case - sandboxing + What would this mean? seph wonders if industry has moved _away_ from osquery? A lot of people seem to have moved to datalakes -- capture as much as possible, and store it forever. This use case often does not require the sql layer. We should revisit these questions from time to time. Maybe try to revisit every few months. We kinda have several kinds of systems: - scheduled queries - distributed queries - snapshots - diffs - carves - events ## Look At Open CVS / Security Tickets [List of Issues tagged with Security](https://github.com/osquery/osquery/issues?q=is%3Aopen+is%3Aissue+label%3Asecurity) ## Look at old PRs _(If there's time, we've been trying to re-visit old PRs)_ [Reverse Sorted List of PRs](https://github.com/osquery/osquery/pulls?q=is%3Apr+is%3Aopen+sort%3Acreated-asc)