NCC Group Reviews osquery
At NCC Group, we aim to make the Internet a safer and more secure place — in part through our audits of open source security software. So when Facebook engaged us to review osquery toward the end of last year, we were eager to contribute.
osquery is an instrumentation framework that represents operating system details and events as SQL tables. This abstraction layer allows users and administrators to query them in complex ways. Through this interface, one can collect real-time insights and analyze systems at scale to reveal interesting (and security-related) trends and outliers in one's infrastructure. Facebook and many other organizations use osquery to gain insight into the security of their infrastructure.
By design, osquery operates defensively to account for various scenarios that may negatively affect security. Strict permissioning is enforced to ensure that unprivileged users cannot load arbitrary extensions, and the extensions' connections to extension servers (e.g. configuration push servers, logging endpoints, etc.) are protected using TLS with strong cipher suites and certificate pinning. Queries are subject to strict scrutiny, including resource limits (e.g. memory and CPU time) to prevent denial of service attacks. All of these seemingly small and simple design decisions converge to create a significant defense-in-depth security standing.
We did not discover any issues that we consider to be high severity. Multiple potential issues stemmed from security-relevant compiler warnings not being enabled, allowing them to hide within the codebase. Additionally, areas where the general mitigations weren't uniformly applied were affected by unrelated scheduling bugs with security implications. In general though, higher risks were mitigated by the osquery's security-focused design. While an identified race condition was simple to fix, NCC provided recommendations for further hardening that were in line with the general design of osquery.
Facebook covered the review in their recent article. You can also find a copy of the report here . We would like to thank Facebook for making this assessment possible. We would also like to thank the osquery team, who were incredibly helpful and transparent throughout the entire engagement. NCC Group hopes this audit will help osquery continue to aid users and organizations in keeping a watchful eye on their hosts and infrastructures.
Published date:  11 March 2016
Written by:  Raphael Salas