osquery is an open source tool that monitors systems and exposes their configuration through SQL tables. At Atlassian, we use osquery extensively in nearly all of our infrastructure to monitor hosts for potentially malicious activity as well as aid in investigations should an incident occur. As such, it is critical to both our detection & incident response teams in keeping Atlassian and its customers secure.
With any piece of software also comes risk, as it increases the attack surface available to an adversary. At Atlassian we believe in weighing the potential risks against the benefits and this is doubly true for software such as osquery which is deployed on nearly every workstation and server across our organisation. One way to reduce risk is by performing a security assessment to improve our confidence in the software we use.
Here at Atlassian our security team has extensive knowledge and experience in Java, NodeJS, Python, Golang and a few others, but we have very little expertise in C++ which is osquery’s main language. Rather than stumble around unfamiliar territory we decided to engage well-known cybersecurity research and consulting firm Trail of Bits who already partner with Atlassian on osquery feature development. With a reputation for high quality security reviews they share publicly, they were the right partner for us to perform this review and share it with the public as a contribution to the open source community.
Without further ado, here is the full review performed by Trail of Bits on osquery: ToB_Atlassian_osquery_Final_Report-2022-01.pdf
If you’re interested in a high-level description of the findings, the overall take was that they did not uncover any serious vulnerabilities, but found several improvements necessary to mitigate exploitation of future vulnerabilities through hardening such as sandboxing or leveraging process isolation and inter-process communication techniques.
Overall, we believe we have identified several areas for improvement and will work with the osquery project maintainers and Trail of Bits to address these findings. Since most of these findings require significant rework of the code, this will likely be a long-running effort. The lack of critical vulnerabilities and the overall project maturity leaves us confident in osquery’s security posture and we believe the balance between risk and benefit holds in this instance.