![]() ![]() The lack of critical vulnerabilities and the overall project maturity leaves us confident in osquery’s security posture and we believe the balance between risk and benefit holds in this instance. Since most of these findings require significant rework of the code, this will likely be a long-running effort. Overall, we believe we have identified several areas for improvement and will work with the osquery project maintainers and Trail of Bits to address these findings. If you’re interested in a high-level description of the findings, the overall take was that they did not uncover any serious vulnerabilities, but found several improvements necessary to mitigate exploitation of future vulnerabilities through hardening such as sandboxing or leveraging process isolation and inter-process communication techniques. Without further ado, here is the full review performed by Trail of Bits on osquery: ToB_Atlassian_osquery_Final_Report-2022-01.pdf With a reputation for high quality security reviews they share publicly, they were the right partner for us to perform this review and share it with the public as a contribution to the open source community. Rather than stumble around unfamiliar territory we decided to engage well-known cybersecurity research and consulting firm Trail of Bits who already partner with Atlassian on osquery feature development. See the official osquery documentation on query failures with the watchdog for more information on osquery errors and debugging options. ![]() It is enabled by default and can be disabled with a control flag. Another way that osquery collects data is via the pub-sub eventing framework. The osquery watchdog is only used for the worker process. ![]() Under Configuration -> Custom profiles you can adjust the interval (increase interval to reduce utilization) that these queries run or disable certain queries all together. Here at Atlassian our security team has extensive knowledge and experience in Java, NodeJS, Python, Golang and a few others, but we have very little expertise in C++ which is osquery’s main language. One way that osquery collects data is via scheduled queries. One way to reduce risk is by performing a security assessment to improve our confidence in the software we use. At Atlassian we believe in weighing the potential risks against the benefits and this is doubly true for software such as osquery which is deployed on nearly every workstation and server across our organisation. With any piece of software also comes risk, as it increases the attack surface available to an adversary. As such, it is critical to both our detection & incident response teams in keeping Atlassian and its customers secure. At Atlassian, we use osquery extensively in nearly all of our infrastructure to monitor hosts for potentially malicious activity as well as aid in investigations should an incident occur. Osquery is an open source tool that monitors systems and exposes their configuration through SQL tables. Anywhere Description On some workstations with a large number of watched files, Agent memory consumption may increase. ![]()
0 Comments
Leave a Reply. |