Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
23 KiB
23 KiB
osquery: The Sovereign Discovery Platform
"Tenable sees what Tenable chooses to show you. osquery sees whatever you ask it to see. The difference is sovereignty."
This document provides a complete blueprint for building a custom vulnerability discovery, compliance, and asset inventory platform on osquery—the open-source, cross-platform endpoint agent that exposes operating systems as SQL databases. It is designed for consultancies and clients who want owned visibility rather than rented scanner reports.
Osquery is the technical expression of the antifragile principle: sovereign intelligence. Your data. Your queries. Your infrastructure. No third-party black box.
Why osquery Fits the Antifragile Posture
| Commercial Scanner | osquery |
|---|---|
| Proprietary detection logic | Open-source SQL queries you can inspect, modify, and extend |
| Data sent to vendor cloud | Data stays on your infrastructure |
| Vendor-defined scan scope | You define what to query; if you can think it, you can ask it |
| Per-asset licensing cost | Free and open-source |
| Quarterly or monthly scans | Continuous or on-demand; you control the cadence |
| Generic report templates | Custom dashboards and reports built on your data |
| Vendor lock-in | Portable SQL queries; migrate to any platform |
The executive framing:
"Tenable is a rented microscope. It shows you what the manufacturer decided you should see. osquery is a laboratory. You design the experiments, you collect the samples, and you interpret the results. It requires more expertise—but it produces intelligence that no competitor can replicate because it is built on your specific questions about your specific environment."
What osquery Actually Is
Osquery is an endpoint agent that runs on Windows, macOS, Linux, and FreeBSD. It exposes the operating system as a relational database with hundreds of tables:
| Table Category | Examples | What You Can Ask |
|---|---|---|
| Processes | processes, process_memory_map, process_open_sockets |
"Show me processes listening on external ports" |
| Network | listening_ports, interface_details, etc_hosts |
"Show me hosts with no firewall enabled" |
| Users & Authentication | users, groups, shadow, logged_in_users |
"Show me accounts with password never expires" |
| Software & Packages | programs, deb_packages, rpm_packages, chrome_extensions |
"Show me installed software with known vulnerable versions" |
| System Configuration | os_version, system_info, registry |
"Show me all Windows Server 2012 machines" |
| Security | startup_items, scheduled_tasks, authorizations |
"Show me persistence mechanisms" |
| File Integrity | file_events, hash |
"Show me changes to /etc/passwd in the last hour" |
| Hardware | usb_devices, system_info, cpu_info |
"Show me unmanaged USB devices" |
The power: You write SQL. osquery returns live system data. No proprietary query language. No vendor-defined limits.
Deployment Architecture
Model 1: Standalone / Ad-Hoc (Proof of Concept)
For a first sweep or targeted investigation:
# Install osquery on a single system
# Windows: choco install osquery
# macOS: brew install osquery
# Ubuntu: apt install osquery
# Run a query interactively
osqueryi "SELECT name, version, install_date FROM programs WHERE name LIKE '%Adobe%'"
# Run a query from file
osqueryi --json < queries/windows-software-inventory.sql > results.json
Use case: Consultant's laptop runs osqueryi against a script-generated target list via SSH/WinRM. No infrastructure. No agents permanently deployed. Perfect for first sweeps.
Model 2: Scheduled Agent with Local Logging (Basic Monitoring)
Deploy osquery as a daemon with scheduled queries writing to local files or syslog:
// /etc/osquery/osquery.conf
{
"schedule": {
"installed_software": {
"query": "SELECT name, version, install_date FROM programs;",
"interval": 86400,
"description": "Daily software inventory"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address != '127.0.0.1';",
"interval": 3600,
"description": "Hourly external listening ports"
},
"missing_patches": {
"query": "SELECT hotfix_id, installed_on FROM patches WHERE hotfix_id NOT IN (SELECT hotfix_id FROM patches WHERE installed_on > date('now', '-30 days'));",
"interval": 86400,
"description": "Daily patch compliance check"
}
},
"options": {
"logger_path": "/var/log/osquery",
"logger_plugin": "filesystem"
}
}
Use case: Small environments (50-500 endpoints) where centralized management is not yet justified. Logs are collected by existing SIEM or file forwarder.
Model 3: FleetDM (The Recommended Control Plane)
FleetDM is an open-source management platform for osquery. It provides:
- Centralized query scheduling across thousands of endpoints
- Live query capability (ask a question; get answers in seconds)
- Policy enforcement (compliance checks with pass/fail reporting)
- Software inventory and vulnerability mapping
- Device health monitoring
- SSO integration
- API for automation and reporting
Deployment:
┌─────────────┐ ┌─────────────┐ ┌─────────────────┐
│ FleetDM │────▶│ MySQL │────▶│ Redis (cache) │
│ (Web/API) │ │ ( datastore)│ │ │
└──────┬──────┘ └─────────────┘ └─────────────────┘
│
│ HTTPS (TLS 1.2+)
▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ osquery │ │ osquery │ │ osquery │
│ (Windows) │ │ (Linux) │ │ (macOS) │
└─────────────┘ └─────────────┘ └─────────────┘
FleetDM pricing:
- Free tier: Up to 1,000 hosts, full osquery management, basic vulnerability mapping
- Premium: ~$7/host/year for advanced features, SSO, API access, premium support
- Self-hosted: The software is open-source; you pay only for infrastructure
The business case:
| Solution | Cost for 1,000 hosts/year | Data Sovereignty |
|---|---|---|
| Tenable.io | ~$50,000-€100,000 | Data in vendor cloud |
| Qualys VMDR | ~$40,000-€80,000 | Data in vendor cloud |
| FleetDM + osquery | ~$7,000 (premium) or $0 (free) + infrastructure | Data in your infrastructure |
Query Packs for Vulnerability Discovery
Windows Vulnerability Discovery Pack
-- windows-vuln-discovery.sql
-- Run via: osqueryi < windows-vuln-discovery.sql
-- 1. End-of-life operating systems
SELECT
si.computer_name,
os.name AS os_name,
os.version AS os_version,
os.build AS os_build,
CASE
WHEN os.version LIKE '6.1%' THEN 'Windows 7/Server 2008 R2 - END OF LIFE'
WHEN os.version LIKE '6.2%' THEN 'Windows 8/Server 2012 - END OF LIFE'
WHEN os.version LIKE '6.3%' THEN 'Windows 8.1/Server 2012 R2 - END OF LIFE'
WHEN os.version LIKE '10.0.1%' THEN 'Windows 10/Server 2016 - Check build'
WHEN os.build < '17763' THEN 'Windows 10/Server 2019 - Outdated build'
ELSE 'Current or check manually'
END AS eol_status
FROM os_version os
CROSS JOIN system_info si;
-- 2. Missing critical patches (last 90 days)
SELECT
si.computer_name,
COUNT(*) AS missing_patches
FROM patches p
CROSS JOIN system_info si
WHERE p.installed_on < date('now', '-90 days')
OR p.installed_on IS NULL
GROUP BY si.computer_name
HAVING missing_patches > 5;
-- 3. Software with known vulnerable versions (customizable)
SELECT
si.computer_name,
p.name,
p.version,
CASE
WHEN p.name LIKE '%Adobe Reader%' AND CAST(REPLACE(p.version, '.', '') AS INTEGER) < 2023000 THEN 'POTENTIALLY VULNERABLE'
WHEN p.name LIKE '%Java%' AND p.version LIKE '8u%' AND CAST(SUBSTR(p.version, 3) AS INTEGER) < 381 THEN 'POTENTIALLY VULNERABLE'
WHEN p.name LIKE '%Chrome%' AND CAST(REPLACE(SUBSTR(p.version, 1, 2), '.', '') AS INTEGER) < 120 THEN 'POTENTIALLY VULNERABLE'
ELSE 'REVIEW MANUALLY'
END AS vuln_status
FROM programs p
CROSS JOIN system_info si
WHERE p.name IN ('Adobe Reader', 'Java', 'Google Chrome', 'Mozilla Firefox', 'Microsoft Edge')
OR p.name LIKE '%Adobe%'
OR p.name LIKE '%Java%'
OR p.name LIKE '%Chrome%';
-- 4. Local administrators (excessive count = risk)
SELECT
si.computer_name,
COUNT(*) AS admin_count,
GROUP_CONCAT(u.username, '; ') AS admin_users
FROM users u
JOIN user_groups ug ON u.uid = ug.uid
JOIN groups g ON ug.gid = g.gid
CROSS JOIN system_info si
WHERE g.groupname = 'Administrators'
GROUP BY si.computer_name
HAVING admin_count > 3;
-- 5. Services listening on external interfaces
SELECT
si.computer_name,
lp.port,
lp.protocol,
p.name AS process_name,
p.path AS process_path,
lp.address
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
CROSS JOIN system_info si
WHERE lp.address NOT IN ('127.0.0.1', '::1', '0.0.0.0')
AND lp.address NOT LIKE '169.254.%'
AND lp.port > 0;
-- 6. Firewall disabled profiles
SELECT
si.computer_name,
f.name AS profile_name,
f.enabled AS firewall_enabled,
CASE WHEN f.enabled = 0 THEN 'CRITICAL: FIREWALL DISABLED' ELSE 'OK' END AS status
FROM windows_firewall_rules f
CROSS JOIN system_info si
WHERE f.enabled = 0;
-- 7. BitLocker encryption status (Windows)
SELECT
si.computer_name,
d.letter,
d.type,
d.encrypted,
CASE WHEN d.encrypted = 0 THEN 'UNENCRYPTED' ELSE 'ENCRYPTED' END AS encryption_status
FROM bitlocker_info d
CROSS JOIN system_info si;
Linux Vulnerability Discovery Pack
-- linux-vuln-discovery.sql
-- 1. OS version and kernel (check for EOL)
SELECT
si.hostname,
os.name,
os.version,
os.platform,
os.platform_like,
k.version AS kernel_version
FROM os_version os
CROSS JOIN system_info si
LEFT JOIN kernel_info k ON 1=1;
-- 2. Packages with known CVEs (requires vulners or manual correlation)
SELECT
si.hostname,
dp.name,
dp.version,
dp.source,
dp.arch
FROM deb_packages dp
CROSS JOIN system_info si
WHERE dp.name IN ('openssl', 'openssh-server', 'nginx', 'apache2', 'mysql-server', 'postgresql')
UNION ALL
SELECT
si.hostname,
rp.name,
rp.version,
rp.source,
rp.arch
FROM rpm_packages rp
CROSS JOIN system_info si
WHERE rp.name IN ('openssl', 'openssh-server', 'nginx', 'httpd', 'mariadb-server', 'postgresql-server');
-- 3. SSH hardening checks
SELECT
si.hostname,
c.key,
c.value,
CASE
WHEN c.key = 'PermitRootLogin' AND c.value = 'yes' THEN 'CRITICAL: Root login permitted'
WHEN c.key = 'PasswordAuthentication' AND c.value = 'yes' THEN 'HIGH: Password auth enabled'
WHEN c.key = 'Port' AND c.value != '22' THEN 'INFO: Non-standard port'
ELSE 'Review'
END AS risk
FROM ssh_configs c
CROSS JOIN system_info si
WHERE c.key IN ('PermitRootLogin', 'PasswordAuthentication', 'Port', 'Protocol', 'MaxAuthTries');
-- 4. Sudoers with NOPASSWD (privilege escalation risk)
SELECT
si.hostname,
su.source,
su.header,
su.rule_details
FROM sudo_rules su
CROSS JOIN system_info si
WHERE su.rule_details LIKE '%NOPASSWD%'
OR su.rule_details LIKE '%ALL=(ALL:ALL) ALL%';
-- 5. Listening ports with process attribution
SELECT
si.hostname,
lp.port,
lp.protocol,
lp.address,
p.name AS process_name,
p.pid,
p.path
FROM listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
CROSS JOIN system_info si
WHERE lp.address NOT IN ('127.0.0.1', '::1', '0.0.0.0');
-- 6. Setuid/setgid binaries (privilege escalation paths)
SELECT
si.hostname,
f.path,
f.directory,
f.filename,
f.uid,
f.gid,
f.mode,
datetime(f.atime, 'unixepoch') AS last_accessed
FROM file f
CROSS JOIN system_info si
WHERE f.path IN ('/usr/bin', '/usr/sbin', '/bin', '/sbin')
AND (f.mode LIKE '%4000%' OR f.mode LIKE '%2000%');
-- 7. Container presence and image versions
SELECT
si.hostname,
dc.id,
dc.name,
dc.image,
dc.image_id,
dc.state,
dc.created
FROM docker_containers dc
CROSS JOIN system_info si
WHERE dc.state = 'running';
-- 8. Kubernetes pod security (if applicable)
SELECT
si.hostname,
kp.name,
kp.namespace,
kp.status,
kp.containers
FROM kubernetes_pods kp
CROSS JOIN system_info si;
macOS Vulnerability Discovery Pack
-- macos-vuln-discovery.sql
-- 1. macOS version (check for EOL)
SELECT
si.computer_name,
os.name,
os.version,
os.platform,
os.build
FROM os_version os
CROSS JOIN system_info si;
-- 2. Installed applications (macOS apps)
SELECT
si.computer_name,
a.name,
a.bundle_short_version,
a.bundle_version,
a.path
FROM apps a
CROSS JOIN system_info si
WHERE a.name IN ('Safari', 'Google Chrome', 'Firefox', 'Microsoft Edge', 'Adobe Acrobat Reader', 'Zoom', 'Slack');
-- 3. Gatekeeper and SIP status
SELECT
si.computer_name,
g.key,
g.value
FROM gatekeeper g
CROSS JOIN system_info si
UNION ALL
SELECT
si.computer_name,
'SIP' AS key,
CASE WHEN sip.enabled = 1 THEN 'ENABLED' ELSE 'DISABLED' END AS value
FROM sip_config sip
CROSS JOIN system_info si;
-- 4. FileVault encryption status
SELECT
si.computer_name,
f.user_uuid,
f.status,
CASE WHEN f.status = 'Off' THEN 'UNENCRYPTED' ELSE 'ENCRYPTED' END AS encryption_status
FROM filevault_users f
CROSS JOIN system_info si;
Building the Custom TVM Platform on osquery + FleetDM
Step 1: Deploy FleetDM (1 day)
# Option A: Docker Compose (fastest for proof of concept)
git clone https://github.com/fleetdm/fleet.git
cd fleet/tools/osquery
docker-compose up -d
# Option B: Binary deployment for production
curl -L https://github.com/fleetdm/fleet/releases/latest/download/fleet.zip -o fleet.zip
unzip fleet.zip
./fleet prepare db
./fleet serve
Step 2: Enroll Endpoints (1 day)
Generate an enrollment secret in FleetDM, then deploy osquery with FleetDM configuration:
# Windows (via Intune, GPO, or script)
# Install osquery MSI with FleetDM flags
osqueryd.exe --enroll_secret=YOUR_SECRET --tls_server=fleet.yourcompany.com:443
# Linux (via package manager + config)
apt install osquery
# Edit /etc/osquery/osquery.flags:
# --enroll_secret=YOUR_SECRET
# --tls_server=fleet.yourcompany.com:443
systemctl enable osqueryd && systemctl start osqueryd
# macOS (via MDM or script)
brew install osquery
# Similar flag configuration
launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
Step 3: Define Policies (Compliance Checks)
FleetDM policies are scheduled queries that evaluate to PASS or FAIL:
-- Policy: Disk encryption enabled (Windows)
SELECT 1 FROM bitlocker_info WHERE encrypted = 1;
-- Policy: macOS FileVault enabled
SELECT 1 FROM filevault_users WHERE status = 'On';
-- Policy: No password authentication on SSH (Linux)
SELECT 1 FROM ssh_configs WHERE key = 'PasswordAuthentication' AND value = 'no';
-- Policy: No root login via SSH (Linux)
SELECT 1 FROM ssh_configs WHERE key = 'PermitRootLogin' AND value = 'no';
-- Policy: Windows Firewall enabled on all profiles
SELECT 1 FROM windows_firewall_rules WHERE enabled = 1 GROUP BY name HAVING COUNT(*) = 3;
-- Policy: Critical OS patches within 30 days
SELECT 1 FROM patches WHERE installed_on > date('now', '-30 days');
Dashboard output: FleetDM shows percentage compliance per policy across all enrolled hosts.
Step 4: Vulnerability Correlation (The Custom Layer)
FleetDM's free tier includes basic CVE mapping for installed software. For advanced correlation, build a custom pipeline:
# vuln-correlator.py
# Runs nightly: pulls FleetDM software inventory, correlates with CVE database
import requests
import sqlite3
from datetime import datetime
# 1. Pull software inventory from FleetDM API
FLEET_API = "https://fleet.yourcompany.com/api/v1"
HEADERS = {"Authorization": "Bearer YOUR_API_TOKEN"}
hosts = requests.get(f"{FLEET_API}/hosts", headers=HEADERS).json()["hosts"]
# 2. Connect to local CVE database (NVD dump or vulners)
conn = sqlite3.connect("cve-db.sqlite")
cursor = conn.cursor()
findings = []
for host in hosts:
host_id = host["id"]
host_name = host["hostname"]
# Get installed software
software = requests.get(f"{FLEET_API}/hosts/{host_id}/software", headers=HEADERS).json()["software"]
for app in software:
name = app["name"]
version = app["version"]
# Query CVE database for this software+version
cursor.execute("""
SELECT cve_id, severity, description
FROM cves
WHERE software_name = ? AND affected_versions LIKE ?
""", (name, f"%{version}%"))
vulns = cursor.fetchall()
for cve_id, severity, description in vulns:
findings.append({
"host": host_name,
"software": name,
"version": version,
"cve": cve_id,
"severity": severity,
"description": description[:200]
})
# 3. Generate report
with open(f"vuln-report-{datetime.now().strftime('%Y%m%d')}.json", "w") as f:
import json
json.dump(findings, f, indent=2)
# 4. Push critical findings to SIEM or Slack
# (Integration code here)
Step 5: AI-Assisted Prioritization
Feed osquery/FleetDM data into the AI TVM prioritization engine:
[FleetDM Software Inventory] ──▶ [CVE Correlator] ──▶ [AI Prioritization]
[FleetDM Policy Failures] ──▶ [Risk Scoring] ──▶ [AI Prioritization]
[osquery Listening Ports] ──▶ [Exposure Analysis] ──▶ [AI Prioritization]
[osquery OS Version] ──▶ [EOL Detection] ──▶ [AI Prioritization]
──▶ [Executive Brief]
The AI receives structured, queryable data from osquery—not proprietary scan reports. This means:
- You can ask the AI: "Which hosts have both Adobe Reader and an open RDP port?"
- You can ask the AI: "Show me all Linux servers running kernel versions with known CVEs"
- You can ask the AI: "What changed in our software inventory since last week?"
The Consultant's Delivery Model
Engagement 1: Osquery Discovery Sprint (5 days)
| Day | Activity | Deliverable |
|---|---|---|
| 1 | Deploy FleetDM proof-of-concept | Operational FleetDM instance |
| 2 | Enroll 10-20 representative hosts | Live endpoint data flowing |
| 3 | Run vulnerability discovery query packs | Raw findings exported |
| 4 | Build custom queries for client's specific concerns | Client-specific query library |
| 5 | Present findings + propose scaled deployment | Board-ready report; deployment roadmap |
Investment: €3,500–€5,500 (labor only; software is free) Standalone value: Complete asset and vulnerability inventory of representative estate
Engagement 2: Custom Platform Build (30 days)
- Scale FleetDM to full estate
- Build custom query library for client's specific compliance and security needs
- Integrate CVE correlation pipeline
- Build executive dashboards
- Train internal team on query authoring
- Hand over operational control
Engagement 3: Continuous Improvement Retainer
- Monthly: New CVE correlation rules, query tuning, policy updates
- Quarterly: Purple team exercise using osquery data for detection validation
- Annually: Platform architecture review, query library refresh
When Osquery Is the Right Choice
| Scenario | Recommendation |
|---|---|
| Client has 50-5,000 endpoints, no existing scanner | osquery + FleetDM is ideal. Cheaper, more flexible, and sovereign. |
| Client has 5,000-50,000 endpoints, heterogeneous | osquery + FleetDM can scale. Consider premium tier or multi-node deployment. |
| Client needs compliance audit trails (PCI, SOC 2) | Supplement with commercial scanner. Auditors prefer vendor-validated reports. osquery provides operational intelligence; commercial scanner provides audit evidence. |
| Client has heavy OT/ICS environment | osquery for IT endpoints; specialized scanner for OT. osquery does not speak Modbus or OPC-UA. |
| Client wants "set and forget" | Commercial scanner may be better. osquery requires ongoing query authoring and maintenance. |
Talking Points for the CTO
When they say: "We are considering Tenable but it is expensive."
You respond:
"Tenable is excellent at what it does. But it is a rented microscope with a fixed lens. Osquery is a laboratory. For the cost of one Tenable subscription, you can build a sovereign vulnerability discovery platform that answers questions Tenable never thought to ask. Let us run a 5-day proof of concept. If osquery does not find actionable vulnerabilities in your environment, you have the evidence to justify Tenable. If it does, you have a cheaper, more flexible alternative that you own outright."
When they say: "We do not have the expertise to write SQL queries."
You respond:
"You do not need to write them from scratch. The osquery community has published thousands of battle-tested queries. FleetDM includes hundreds of pre-built policies. We start with those, customize them for your environment, and train your team to extend them. The expertise grows with the platform."
When they say: "Our SIEM already collects endpoint data."
You respond:
"Your SIEM collects logs. Logs are what the system chose to record. Osquery queries are what you choose to ask. A log might tell you a process started. An osquery query can tell you every process with a network connection, its parent process, its binary hash, and whether that hash matches a known good baseline. The difference is interrogation versus observation."
Integration With Existing Frameworks
| Document | Integration |
|---|---|
| Zero-Budget Vulnerability Discovery | osquery is the most powerful zero-budget discovery method; it replaces or supplements PowerShell/SSH scripts |
| AI-Assisted TVM Blueprint | osquery provides the structured data feed for AI prioritization; it is the discovery layer of the AI TVM architecture |
| Perimeter Scanning Capability | osquery covers internal endpoints; perimeter scanning covers external attack surface; together they provide complete visibility |
| Modular Engagements | osquery sprint can be delivered as a standalone 5-day module or as the foundation of a larger TVM engagement |
| Business Case Template | osquery + FleetDM costs vs. commercial scanner costs |
For script-based discovery without agents, see Zero-Budget Vulnerability Discovery. For the AI prioritization layer, see AI-Assisted TVM Blueprint. For external attack surface scanning, see Perimeter Scanning Capability.