Let’s say a machine in your corporate fleet gets infected with malware. How would you detect it? How could you find out what happened on the machine? What did the malware do? Did it steal your browser’s passwords? What network connections did the malware make? Was it looking for crypto currency? By having good telemetry and a good host monitoring solution for your machines you can collect the context necessary to answer these important questions.

Proper host monitoring on macOS can be very difficult for some organizations. It can be hard to find mature tools that proactively detect security incidents. Even when you do find a tool that fits all your needs, you may run into unexpected performance issues that make the machine nearly unusable by your employees. You might also experience issues like having hosts unexpectedly shut down due to a kernel panic. Even if you are able to pinpoint the cause of these issues you may still be unable to configure the tool to prevent the issue from recurring. Due to difficulties like these at Dropbox, we set out to find an alternative solution.

One of the first things we did was create a list of requirements and success criteria:

Stability and minimal performance impact Kernel panics and obvious delays or other lockups are certainly not acceptable

Record interesting activity on the host Process spawning Filesystem Modifications Network activity Details about configuration settings and installed applications

Record details about these observables which would tell us: Date and time How observations are related (parent-child relationships, or shared keys which connect events, like process id) Additional details to assess the relevance or impact of the event



During the investigation we reviewed a number of tools that could solve some of our problems, but none of the tools could solve all of our problems. After careful review we decided that we didn’t want to reinvent the wheel and that having multiple tools that each solved a specific requirement would better serve our needs.

We eventually landed on 3 open source tools: osquery, Santa, and the OpenBSM/Audit system; with each tool serving a specific purpose:

osquery provides periodic snapshots describing changes to the state of a machine

Santa provides real-time process launch events containing details about the executing binary

OpenBSM/Audit is real-time system call monitoring module in the macOS kernel that can provide networking, file operations, administrative events, and other system interactions.

osquery

osquery is an open source operating system instrumentation framework for Windows, macOS, Linux, and FreeBSD by Facebook. This tool allows users to query the state of their system via a SQL interface. Some of the useful features of this service are:

The ability to parse preference and configuration files, list installed applications, current running processes, file path information, and installed browser plugins. This is useful if we are looking for suspicious applications or if we want to know if a machine has some specific configuration settings. osquery by default comes with several packs of useful queries and the core application is regularly being updated to include new features.



Using osquery we can perform queries to search for IOCs (Indicators of Compromise) on a host such as the recent Proton malware: