Facebook is in a giving mood today.
The social networking giant announced today that it will release to open source a framework that detects and logs state changes in an operating system likely caused by an attack or performance meltdown. It also announced that it will hand out up to $300,000 next year as part of its Internet Defense Prize.
The osquery framework takes a unique approach to intrusion detection by exposing an operating system as a relational database, said Mike Arpaia, a Facebook engineer who along with Ted Reed, Javier Marcos de Prado and Mimeframe, make up the osquery development team. Osquery is cross platform and is supported on Ubuntu, CentOS and Mac OS X.
“This design allows you to write SQL-based queries efficiently and easily to explore operating systems,” Arpai said, adding that SQL tables can be used to represent a current state of running processes, loaded kernel modules and open network connections.
Admins can use queries to interact with processes that are executing on an operating system and look for behaviors that would occur only if a system were compromised. Arpaia also offered other examples where different tables could be joined, for example joining listening ports and processes could expose all processes that are listening on network ports.
“Tables are easy to write, so we often encourage new contributors to develop a few tables as an introduction to the osquery codebase,” Arpaia said.
The codebase is modular and today’s release also includes several other tools including an interactive query console called osqueryi, which includes dozens of built-in SQL tables. Also included is a host-monitoring daemon called osqueryd, which enables a user to schedule queries for execution across an infrastructure.
“The daemon takes care of aggregating the query results over time, and generates logs which indicate state changes in your infrastructure. You can use this to maintain insight into the security, performance, configuration and state of your entire infrastructure,” Arpaia said. “Osqueryd’s logging can integrate into your existing internal log aggregation pipeline, regardless of your technology stack, via a robust plugin architecture.”
Arpaia said Facebook shared osquery with a few external companies and integrated their feedback into the current codebase, which is availabie on Github.
Osquery is also eligible for Facebook’s Whitehat program. Researchers participating in the program can now submit vulnerabilities found in the code and be eligible for a bounty. Facebook said that a minimum vulnerability payout if $2,500, and there is not maximum.
To be eligible, the bug must reside in the osquery core code, and among the bugs eligible are privilege escalation and remote code execution, Arpaia said.
As for Internet Defense Prize, Facebook said it will continue to work with USENIX as it did this year to evaluate submissions and determine prize winners, which will be paid out next August at the USENIX security conference.
At this year’s event, Facebook paid out $50,000 to a pair of German researchers for a static analysis tool that detected second order vulnerabilities.