• Stars
    star
    412
  • Rank 105,004 (Top 3 %)
  • Language Makefile
  • License
    Apache License 2.0
  • Created about 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Production-ready detection & response queries for osquery

osquery-defense-kit

Actions Status Latest Release stable

osquery queries for Detection & Incident Response, containing 250+ production-ready queries.

osquery-defense-kit

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

At the moment, these queries are predominantly designed for execution on POSIX platforms (Linux & macOS). Pull requests to improve support on other platforms are fully welcome.

Requirements

  • osquery v5.7.0 or above
  • macOS or Linux
  • If you plan to do local development you will also need Go v1.20+ for osqtool

Usage

Local Detection

Run make detect for point-in-time detection. This will not detect as much as a production installation as it will not have access to historical events.

Production Detection

Download a released query pack into a convenient location, and point to these files from the packs stanza of your osquery.conf file

Local Data Collection for IR

Run make collect. This is particularly useful for before/after analysis.

Local pack generation

Run make packs. For more control, you can invoke osqtool directly, to override default intervals or exclude checks.

Local verification testing

Run make verify

File Organization

  • detection/ - Threat detection queries tuned for alert generation.
  • policy/ - Security policy queries tuned for alert generation.
  • incident_response/ - Data collection to assist in responding to possible threats. Tuned for periodic evidence collection.

The detection queries are further divided up by MITRE ATT&CK tactics categories.

At release time, the queries are packed up in osquery query pack format. See Local Pack Generation for information on how to generate your own packs at any time.

Case Studies

Linux: Shikitega (September 2022)

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

Here is a partial list of what queries would have fired an alert based on these queries:

  • Initial Dropper Execution, detected by:
    • execution/tiny-executable-events.sql
    • execution/tiny-executable.sql
  • Next Stage Dropper Execution, detected by:
    • execution/tiny-executable-events.sql
    • execution/tiny-executable.sql
    • execution/unexpected-shell-parents.sql
  • Escalation Prep, detected by:
    • execution/sketchy-fetchers.sql
    • execution/sketchy-fetcher-events.sql
    • c2/unexpected-talkers-linux.sql
    • c2/exotic-command-events.sql
    • c2/exotic-cmdline.sql
  • Escalation Tool Execution detected by:
    • execution/unexpected-executable-permissions.sql
    • execution/unexpected-executable-directory-linux.sql
    • execution/unexpected-tmp-executables.sql
    • c2/exotic-command-events.sql
    • c2/exotic-cmdline.sql
    • initial_access/unexpected-shell-parents.sql
    • evasion/missing-from-disk-linux.sql
  • Privilege Escalation detected by:
    • privesc/unexpected-setxid-process.sql
    • privesc/unexpected-privilege-escalation.sql
    • privesc/events/unexpected-privilege-escalation-events.sql
    • evasion/name_path_mismatch.sql
  • Persistence detected by:
    • persistence/unexpected-cron-entries.sql
    • execution/unexpected-executable-directory-linux.sql

macOS: CloudMensis (April 2022)

https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/

Here is a partial list of what stages would have been detected by particular queries:

  • Initial Dropper Execution, detected by:

    • c2/unexpected-talkers-macos.sql
  • Second Stage Execution, detected by:

    • execution/unexpected-executable-directory-macos.sql
    • persistence/unexpected-launch-daemon-macos.sql
    • execution/unexpected-mounts.sql
  • TCC Bypass, detected by:

    • evasion/unexpected-env-values.sql
  • Spy Agent Execution, detected by:

    • c2/unexpected-talkers-macos.sql
    • execution/exotic-command-events.sql
    • execution/unexpected-executable-directory-macos.sql

Policies

Contributions

Help Wanted! We support any new queries so long as they can be easily updated to address false positives.

Users may submit false positive exceptions for popular well-known software packages, but may be asked to provide evidence for the behavior.

Platform Support

While originally focused on Linux and macOS, we support the addition of queries on any platform supported by osquery.

In particular, we've been asked about Windows support: Chainguard doesn't have any Windows machines, but if you have Windows queries that you think would be useful and match our philosophy, we're more than willing to accept them!

False Positives

We endeavor to exclude real-world false positives from our detection queries.

Managing false positives is easier said than done - pull requests are welcome!

CPU Overhead

In aggregate, queries should not consume more than 2% of the wall clock time across a day on a deployed system.

Intervals

Deployed intervals are automatically determined based on the tags supported by the osqtool, which we use for pack assembly.

More Repositories

1

apko

Build OCI images from APK packages directly without Dockerfile
Go
747
star
2

bincapz

detect malicious program behaviors
YARA
401
star
3

ssc-reading-list

A reading list for software supply-chain security.
327
star
4

melange

build APKs from source code
Go
227
star
5

incert

Add CA certificates into containers
Go
121
star
6

edu

Educational Resources for Software Supply Chain Security
HTML
76
star
7

actions

A collection of reusable Github Actions workflows.
65
star
8

justtrustme

Go
50
star
9

bomshell

An SBOM query language and associated utilities
Go
49
star
10

digestabot

Github Action to automatically update digests for container images.
Dockerfile
43
star
11

vex

vexctl is a tool to attest VEX impact statements
Go
43
star
12

bom-shelter

A place to systematically store software bill of materials (SBOM) documents.
Python
42
star
13

darkfiles

Darkfiles finds orphaned files in container images and makes them to bad deeds
Go
39
star
14

osqtool

Automated testing, generation & manipulation of #osquery packs
Go
36
star
15

go-apk

native go library for installation and management of apk packages
Go
29
star
16

registry-redirect

Go
29
star
17

cosign-ecs-verify

Lambda function for verifying signed images in ECS
Go
24
star
18

rules_apko

Bazel rules for apko
Starlark
23
star
19

crow-registry

TypeScript
21
star
20

clank

Simple tool that allows you to detect imposter commits in GitHub Actions workflows.
Go
21
star
21

yam

A sweet little formatter for YAML
Go
20
star
22

hakn

A High-Availability distribution of Knative.
Go
20
star
23

policy-catalog

Go
19
star
24

hello-melange-apko

Demo app duplicated in 5 languages (Go/JavaScript/Python/Ruby/Rust) showing how to go from source code to container image using melange+apko
Rust
19
star
25

tlogistry

Transparenty Immutable Container Image Tags
Go
19
star
26

clog

Context aware slog
Go
17
star
27

maxcve

Go
17
star
28

terraform-provider-apko

Go
14
star
29

image-comparison

Comparison of Chainguard Images to others
HTML
14
star
30

terraform-provider-oci

Terraform provider to perform OCI image operations
Go
12
star
31

exitdir

Common packages.
Go
8
star
32

go-oidctest

Library for creating fake OIDC providers in tests
Go
8
star
33

nginx-image-demo

nginx image demo
8
star
34

terraform-provider-cosign

Terraform provider for Sigstore Cosign
Go
8
star
35

yoloc

YOLO-level verifier
Go
7
star
36

admission-sidecar

Generic webhook controller / proxy for ease of integration with Styra in particular.
Go
7
star
37

terraform-infra-common

A repository containing a collection of "glue" modules for encapsulating common Cloud Run patterns.
HCL
7
star
38

pull-secret-updater

Go
6
star
39

vulnerability-scanner-support

Resources to help vulnerability scanners
6
star
40

stigs

HTML
6
star
41

platform-examples

Example apps demonstrating Chainguard platform integrations
Go
6
star
42

go-grpc-kit

Utility methods for gRPC.
Go
6
star
43

kolide-google-matcher

Unearth host mismatches between Kolide & Google Workspace
Go
6
star
44

learning-labs-static

Base code for Learning Labs: "Build Secure and Minimal Images with Chainguard Static Images"
Go
6
star
45

tekton-demo

Tekton and Sigstore Demo
HCL
5
star
46

terraform-publisher-apko

An experimental module for publishing images with tf-apko
HCL
5
star
47

images-autodocs

This project is now retired 👋
PHP
5
star
48

cve-bliss

Use this repo to submit your final project for the Painless Vulnerability Management With Chainguard course.
Dockerfile
5
star
49

text4shell-policy

ClusterImagePolicy demo for cve-2022-42889 text4shell
Java
4
star
50

melange-php-demos

PHP demos for Melange + Apko
PHP
4
star
51

gobump

Go tool to declaratively bump dependencies.
Go
4
star
52

homebrew-tap

Chainguard Homebrew Tap
Ruby
3
star
53

source-integrity-demo

Shell
3
star
54

tekton-helm-charts

Helm charts for deploying Tekton Pipelines, Dashboard and Chains
Smarty
3
star
55

rumble

Data collection for base image CVEs etc.
Go
3
star
56

sigstore-custom-policies

Repo to contain files demo'd on the CNCF Webinar on the Sigstore Policy Controller
CUE
3
star
57

terraform-google-cron

Terraform module for deploying cron jobs that run on a defined schedule
HCL
3
star
58

go-workqueue

Go
3
star
59

fixfilter

Filter scanner results by applying data from the Wolfi secdb
Go
2
star
60

edu-images-demos

Sample education demos for Chainguard Images
Dockerfile
2
star
61

secureframe-issue-sync

Sync Secureframe tests to GitHub issues (unofficial)
Go
2
star
62

terraform-aws-chainguard-account-association

Terraform module to connect Chainguard Enforce to your AWS Account
HCL
2
star
63

deved-autodocs

DEPRECATED. Moved to chainguard-dev/images-autodocs
PHP
2
star
64

terraform-google-chainguard-account-association

Terraform module to connect Chainguard Enforce to your Google Cloud project
HCL
2
star
65

hello-wolfi-demo

Demo for the Hello Wolfi workshop
PHP
2
star
66

terraform-provider-imagetest

Go
2
star
67

.github

Default files to be used for any public repository under the chainguard-dev organization.
2
star
68

chainguard-weaveworks-gitops-demo

End to End Security & Operations with Chainguard & Weave GitOps
Makefile
2
star
69

terraform-cloudrun-dashboard

THIS HAS MOVED
HCL
2
star
70

openssl-fips-test

Test that OpenSSL is configured to be FIPS-compliant
C
1
star
71

ldso-cache

reading and writing of glibc /etc/ld.so.cache files
Go
1
star
72

terraform-google-prober

A terraform module and Go library for deploying probers to Google Cloud Run
HCL
1
star
73

acls-in-yaml

Collect ACLs from SaaS platforms for periodic user access reviews
Go
1
star
74

field-demos

Public repository of field demos and collaboration and other goodness - it's not pretty, but it's shared ❤️
Dockerfile
1
star
75

go-pkgconfig

Go package for wrangling pkg-config data
Go
1
star
76

go-demo

go demo app
Go
1
star
77

cg-images-python-migration

Sample Flask application migrated to Chainguard Images
Dockerfile
1
star
78

trusted-cert

Un-forked clone of Trusted Cert operator so we can test github actions workflows
Go
1
star