-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What do we want to do with packs #28
Comments
I need to take some time to formulate a longer response, but overall I see two separate issues/requests and want to make sure we acknowledge them in this discussion: Issue 1: osquery is hard and we should invest in better educational resources. Issue 2: packs are "intel" and users can run the packs that are packaged with osquery as a way of ensuring the security of their fleet. packs are maintained by some set of quality standards. Now for some opinions: The second issue I'm personally somewhat pessimistic about, companies are not willing to open source the intel they use in general. But if we were to attempt to solve this problem, we should do so in a separate repository. This has the benefit that the repo can be maintained by a different set of people than the core and that certain guarantees can be provided(freshness, performance, accuracy"). |
Thank you for starting this discussion! I was quite surprised to find out that osquery maintainers considered the built-in packs as pure examples and not something that should be used at all. I think one of osquery's biggest strengths has been the built-in packs that add immediate value when deployed. I've used osquery for several different fleets, and I almost always find out something fairly quickly based on the data coming in from those packs. Separating out the packs seems like a great idea, as it would allow more focus on them and garner a larger community. A few things come to mind:
|
To clarify my position, I don't think they should NOT be used. I was pointing out that they don't come with specific guarantees and that it would be best to use them as a reference, not something to run "as is". It's a "here's some best practices about this thing osquery ships". |
fun! (: So to give an analogy, if you've ever used Snort (or any IDS) there's two modes. There's the one where you excitably install absolutely every rule because why wouldn't you? you want all the information. Or you turn everything off, and pick and choose like a dozen/a few dozen rules that you really know they what do, and when they go off, you know pretty much what that means. I don't think osquery's packs are as bad as the former, but as they grow, they move away from the latter. I don't think companies have to give up intel to share rules in quite that way. It's more what is the motive behind this rule, what is it telling you when it goes off. I strongly agree with @reedloden that packs are set once and never update, which is a shame. Finding a mechanism for that, and allowing local comments and overrides is harder than just |
I'd categorize that as yet another problem that exists but is a separate discussion thread. Currently this is handled by third party solutions like Fleet and also happens to have many footguns. Maintaining a query pack means occasionally adding/removing fields. Osquery tables also sometimes rename fields. How do you do version control for tables? For queries? How do you introduce a breaking change to a list of users that depend on the query results? |
In my experience, packs have been somewhat poorly maintained. It's quite a bit of work to add new queries as new tables get released and update columns when tables change. No one is "responsible" for packs. I also worry that new osquery users view packs as a checklist instead of cherry picking which data sources are available to them and tailoring their needs based on that. I personally think that packs should serve as examples but it should be noted that they may not be kept up to date and they don't necessarily reflect an ideal deployment of osquery. People should absolutely NOT deploy osquery by just enabling the packs and calling it a day (in my opinion). |
There's a difference between "people should not deploy osquery by just enabling the packs and calling it a day" and what actually happens in the real world. I don't think anyone in this thread is the target audience for "what is the default, assuming I just install this and leave it" but I would imagine that's a sizeable use case . (but I have no numbers, etc...) How often do the rules get updated? how often are new ones added? vs new packs? (sorry it's been a while since I've had to run osquery over a fleet) I wouldn't want to spawn another arachnids email list, partly because it's 2019, partly because I'm no good at credit card fraud, but mostly because then someone has to steward that canonical resource. Should that be the job of osquery? facebook? the community? dons fancy jacket of spitballing 2d4 github and pull requests seem a really natural place for that to me. With either a release happening at some point, or just running HEAD if you're a wild person. Having a framework to test them would make releases possible. Namespacing (pack name - date/sha) could make updating possible without blowing away the rules you have. In the kolide-fleet world, you always do something like "if you fork this rule, it's no longer in that pack" or some magic. I'm probably getting way off track. 😇 |
I feel that we should remove packs from the osquery repo ASAP.
|
I agree with this statement "They are not threat intelligence. With names like osx_attacks , etc. gives people a false sense of security." |
As a person who helped bring up this debate in the worlds longest slack thread, I think many of you are perhaps unaware of how many people are being introduced and or deploying osquery today. Tools like Kolide and Fleetsmith push out osquery including the packs. It's great to have this data ready to go, and ready to use, but with a heavy heart I read this conversation and see that these packs are almost a joke. The lack of documentation around the point of the packs is definitely an issue, and probably one of the reasons for this conversation. Packs shouldn't be the only way you interact with osquery, but are frequently a great place to get started. The analogy to Snort is a good one. But osquery is far from that bad today. I think dropping the packs because you're afraid of the monster you made is the wrong way to go. Asking the village to help raise the monster is probably better. |
I don't feel packs are a joke, just under loved and perhaps not being used to their full potential? Sharing things like this has always been hard though, and many companies will be reluctant to share their rules publicly for good and bad reasons. (whole different thread there... wheeeeee) I really don't think osquery has this as badly as snort does, thankfully, but also rules are ever so slightly less sharable than snort rules, so perhaps that is partly it too. I do worry about the mac rules for malware/attacks that had its day in like 2012 (or w/e) but still is in the default packs. I haven't actually sat down and used osquery in like ten months, so I'd be overstepping to say I know what is going on or the how the community feels. |
@a-zndr I am aware of how many people use the default packs and it's been something we've occasionally discussed in office hours and at conferences here and there. When we created Fleet at Kolide and open sourced it, the immediate request for everyone was "how do I run the default packs" which made me feel icky about the perception of what they are on our side vs what new users thought of them... Anyway, I think "community supported" query sharing is a cool idea that I'd love to see happen and if people feel strongly about there being value in packs, then we should spin them out in a separate repo, with maintainers who care about query quality and all. |
Can we do that in a methodical way that doesn't leave folks hanging? The calls to rip them out ASAP is what is concerning. I have no objections to splitting them out into a separate repo/project (in fact, I think it's a great idea, as releases shouldn't constrain query pack updates), but just want to make sure there's a migration plan/path for folks and well-communicated so people can prepare. |
I don't think we're going to move very fast. This has been an ongoing issue for awhile, and I think this thread is likely to go for a bit. One thing that jumps out at me, is that a lot of people use the default packs. They represent a batteries included approach. And that fixing them up is a way to positively help a large number of end users. That seems like something worth investing in. |
We are talking about a whole new project here : actively maintaining a valuable base set of queries that can help the community. A free "lite" version of threat-intel queries ... anyone with the time and expertise to do this is a hero. Some other considerations for each query:
So should we spend time to fix these up, and continue to maintain them, test them, and add more? Unfortunately, not for the foreseeable future. Let's focus, there's a lot to do on core osquery. |
In 2019-09-17 office hours we talked a little about whether we should be shipping packs. In office hours, there's a strong bias to drop them. We don't really vet or maintain them.
But chatting on macadmins, I hear strong interest. Summarizing some things:
Relates to:
The text was updated successfully, but these errors were encountered: