macOS: EndpointSecurity expansion #8564
Conversation
898cd6e to
6e3725e
Compare
…upport Expands osquery's EndpointSecurity framework integration with comprehensive event monitoring capabilities across multiple security domains: Core Enhancements: - Added support for 40+ additional ES event types with categorization and severity levels - Implemented dedicated es_security_events table for non-process security events - Enhanced event context and subscription management Security Domain Coverage: - Process: Enhanced metadata extraction and context tracking - Network: Socket operations (connect, bind, listen, accept) with endpoint details - Filesystem: Extended attributes, ACLs, and advanced file operations - Memory: Protection changes, mapping events, and executable region tracking - Kernel: Extension monitoring, code signing validation, and sysctl operations - Authentication: Session events (login, logout, lock, unlock) - System: TCC database modifications, OpenDirectory events
Add a comprehensive query pack for macOS EndpointSecurity monitoring that includes: - Process creation and lifecycle monitoring using es_process_events - Security event monitoring via es_security_events table - Authentication and privilege escalation detection - Remote thread creation detection (potential code injection) - Mount and filesystem event monitoring - Screen sharing and SSH connection tracking - Profile installation monitoring - XPC connection monitoring - Suspicious activity and high-severity security event alerting These queries demonstrate effective usage of the new EndpointSecurity tables while maintaining proper separation between process and security events.
This commit provides comprehensive documentation updates for EndpointSecurity: - Add documentation for all CLI flags and event categories - Explain new table separation approach (process_events vs security_events) - Document configuration options and entitlement requirements - Add SDK version compatibility information and macOS version support - Include examples and guidance for different monitoring use cases - Create version compatibility tables and implementation phases These changes improve clarity around EndpointSecurity capabilities, configuration, and version-specific behaviors while helping users optimize their event monitoring setup.
6e3725e to
f5ec403
Compare
This commit adds robust support for macOS 15 by implementing: 1. Proper event type handling for removed ES events in macOS 15+: - Changed custom event type values to be within valid range (0-255) - Added static_cast when using these values in switch statements - Fixed event categorization to avoid duplicate definitions 2. Enhanced field handling with safety checks: - Improved string token handling with proper null checks - Added safe versions of field accessors for cross-version compatibility - Fixed memory management in test code with proper tracking and cleanup 3. Comprehensive test framework: - Added new test files for field handling and version compatibility - Created cross-version test script for testing across macOS versions - Added tests for memory protection events that are preserved in macOS 15+ 4. Fixed potential segfaults: - Added null pointer checks in getStringFromToken functions - Fixed isEventTypeAvailable to handle case of old event types in newer OSes - Added explicit algorithm includes for proper std::find usage
There was a problem hiding this comment.
Hi @tmc thanks for the contribution!
All osquery contributions require signing the CLA -- please follow the instructions as the bot commented to get that completed. We don't usually do thorough reviews until this is completed.
I see that this PR adds one table that includes many different event types. We usually try to make separate tables that have fewer columns and a more narrowly-defined event type. Does that seem possible here?
This is also an exceptionally large PR and would be much easier to review if it were split into separate PRs for more narrow tables.
Yep, signed! Yeah I didn't want to sprawl out a bunch of tables but definitely interested in any guidance on where the right balance to strike is. Let me rework this into smaller PRs for easier review. |
|
New PR that takes a smaller bite: Follow on (god i wish github supported stacked diffs better). Next diff: https://github.com/osquery/osquery/compare/pull/8565/head...tmc:osquery:endpointsecurity-expansion-2?expand=1 / tmc#1 |
To submit a PR please make sure to follow the next steps:
CONTRIBUTING.mdguide at the root of the repo.format_checktarget.If it is not, then move the committed files to the git staging area,
build the
formattarget to format them, and then re-commit.More information is available on the wiki.