Exploration, Monitoring and Security with osquery

Speakers: Zachary Wasserman

Level: Advanced, Hands-on (BYOD for attendees)

Excerpt: macOS is a complex beast! Learn how osquery can tame the complexity and enable rapid iteration on insights, becoming a critical component of monitoring pipelines. This workshop will expose the important concepts through hands-on examples.

Description: Accessing the data that admins are interested in on a macOS system can require many distinct methods: Parsing command output, accessing public and private system APIs, accessing POSIX and mac-specific configuration files and more. What can we do to tame this complexity and focus on the underlying data we are after?

Enter osquery. Open-sourced by Facebook in 2014, this tool standardizes all of these disparate sources of state, enabling rapid iteration and understanding without writing any code. We can craft simple SQL queries to extract, transform and combine data sources that interest us. In this workshop we will learn how to explore data we are interested in, incorporate it into scripting workflows, and use osquery for monitoring of important data.

These skills will be useful for anyone interested in accessing macOS internals from a security or IT perspective.

About the speaker

Zachary Wasserman (Twitter: @thezachw/) – Principal Engineer – Kolide

Zach has been contributing to osquery since its inception in 2014, and believes that open-source is the future. He is cofounder and Principal Engineer at Kolide, where he builds products to help operators drive more value from osquery. Outside of this work, he climbs rocks and is an amateur Arduino programmer building blinky devices.

This entry was posted in MacAdmins 2018 Sessions. Bookmark the permalink.