How We Securely Autoupdate Osquery at Kolide
Osquery is a fast-moving open source project that allows you to monitor a host using SQL. The tables that are provided by osquery are embedded in the tool itself, so getting the latest capabilities requires keeping your osquery deployment up-to-date. To make this easier for our users, we created an osquery launcher that includes the ability to securely manage and autoupdate osquery instances.
After researching available solutions, we decided to implement our autoupdater with The Update Framework (TUF). TUF defines a specification for secure software update systems. The spec describes a client/server model where the client is the software to be updated and the server is the update server.
For our implementation, we use Docker Notary as our TUF server and a Go client library that we built in-house called “Updater”. Through Updater, Launcher uses a mirror like Google Cloud Storage to store update targets, and uses Notary to ensure that targets have not been tampered with. We don’t take the security implications of automatically updating osquery lightly, so we knew an independent third-party audit of this architecture was necessary. To this end, we contracted NCC Group to perform a security audit of our in-house TUF client library. The report is publicly available here. NCC Group has also previously performed assessments on Docker Notary and Osquery as well, so this assessment bridges the two together nicely.
The Docker Notary assessment was carried out by NCC Group’s “Cryptography Services” which was led by cryptography expert Tom Ritter. Docker’s lead on getting this audit done was Diogo Monica who has frequently spoken rather insightfully on this topic.
Ted Reed and I first discussed the osquery assessment in an article on Facebook’s engineering blog, along with a myriad of other activities the osquery team undertook to maintain a secure open source ecosystem. In that article, I spoke about the idea of “constant vigilance” as a software developer. Public assessments are a point-in-time verification of one aspect of security and are not meant to imply that the software is secure right now. However, it does imply that there are no jarring architectural flaws that the authors missed when first reasoning about the design of their solution.
The Updater assessment ties these two components together. Keeping osquery up to date via Updater and Notary is noteworthy because Notary, Updater, and Osquery have all had security assessment reports publicly published. The Notary server infrastructure that Kolide hosts for this purpose has not been audited yet, but we are looking forward to further investing in this infrastructure as time goes on. Consider the following excerpt from the executive summary of the NCC Group report’s Executive Summary section:
During the summer of 2017, Kolide engaged NCC Group to conduct a security assessment of their implementation of a client for TUF, The Update Framework. Two NCC Group consultants performed this assessment between August 28 and September 1. Along with a Docker Notary server, this client allows osquery to automatically and securely update itself. This report, in conjunction with NCC Group’s prior assessments of Notary and osquery, completes a trifecta of security assessments for a fully functional suite of interdependent secure endpoint management technologies.
Though NCC Group did find some issues that could affect users in less-secure environments, the assessment did not uncover any findings that affect the security of the processes for receiving and verifying updates.
- The Update Framework (TUF) Security Assessment
We take the responsibility of providing an osquery autoupdater seriously. If this is interesting to you, I encourage you to consider the following resources and help us by reporting any potential vulnerabilities in our software.
- The Updater library source code
- The Update Framework (TUF) Specification
Please contact us at firstname.lastname@example.org if you believe you have found vulnerabilities in Kolide or osquery software.