Tales from Developing and Deploying EndpointSecurity in Osquery

Presented at Objective by the Sea version 5.0 (2022), Oct. 6, 2022, 11:35 a.m. (25 minutes).

In this talk, I will explore the not-so-fun parts of using EndpointSecurity, especially when it comes to deploying it as an end product. This is a fairly counter-intuitive process, more so when you build things outside of XCode and Apple's tool. \n\n In particular we will take a look at osquery, an open source, cross platform endpoint visibility agent, written in C++ and using CMake and CPack as the build system. We will explore how to tie all the moving parts -- from entitlements and provisioning profiles, to repackaging a CLI as an app bundle, to Full Disk Access permissions and TCC gotchas. Finally we will tie everything together with automating packaging and signing in the CI.

Presenters:

• Sharvil Shah - Software Engineer at Fleet
  Sharvil is a Software Engineer working on osquery at Fleet. He has been an active contributor to osquery since its early days in 2015 providing much of the early macOS implementation, and an osquery Foundation TSC (Technical Steering Committee) member since 2022.

Links:

• https://objectivebythesea.org/v5/talks.html#Speaker_6
• https://infocon.org/cons/Objective by the Sea/Objective by the Sea 5 2023/Tales from Developing and Deploying EndpointSecurity in Osquery - Sharvil Shah.mp4
• https://infocon.org/cons/Objective by the Sea/Objective by the Sea 5 2023/Tales from Developing and Deploying EndpointSecurity in Osquery - Sharvil Shah.eng.srt (subtitles)
• https://www.youtube.com/watch?v=pEr_cyKRj9Q

Similar Presentations:

• BSides Austin 2018 / Post-mortem on deploying osquery, Kolide, and writing to kinesis
• BruCON 0x08 (2016) / Hunting Malware with osquery at scale Workshop
• BSidesSF 2019 / Monitoring Minimum Viable Security via osquery on Mac, Windows, Linux, and Containers Workshop