Osquery 4.7.0 Inventory Improvements
Recently, the Kolide change-log has been bursting at the seams with improvements and new features, and while it’s been fun bringing good news and cheer to you all on a near-daily basis, enough is enough.
Instead of dragging this out over the next three days, we decided to create one big post with all of the Inventory improvements we’ve recently shipped to close out the week. Let’s get started!
New Inventory Item - macOS System Extensions
Apple introduced their safer alternative to Kernel Extensions called System Extensions with the release of macOS Catalina in 2019. Now with Big Sur, Kernel Extensions are no more. Thanks to some incredible work by Kumarak of Trail of Bits, Osquery 4.7.0 now supports enumerating these extensions.
We are excited to announce that we’ve added these System Extensions to the default set of macOS Inventory.
#
Improved Inventory - Windows User Metadata
On macOS, Kolide is not only able to enumerate the users of a particular device, but it can also enumerate additional metadata, like the number of times the user logged in or the last time the password was set.
Starting this week, Windows joins the party! Using WMI, Kolide can now collect additional metadata information about the device’s user accounts, including:
-
last_logged_in_at
- When the user last logged in. -
logins_count
- The total number of times the device user logged into the system. -
failed_logins_count
- The total number of times someone attempted to access a user account with incorrect credentials. -
password_last_set_at
- The precise time the user’s password was changed or initially set. -
password_expires_at
- The precise time the user’s password expires (when applicable). -
windows_user_type
- The type of Windows User (Ex: “Normal Account”, “Domain Trust Account”, etc.)
This information can be extremely helpful for our customers who really want to understand who the device’s primary user is (based on login count). Additionally, knowing when a user last changed their password can be invaluable if you want to ensure that the user’s password meets the complexity requirements in the most recent set policy.
You can check out these new columns in the Device Users Inventory section.
Improved Inventory - Google Chrome Extensions
The term Google Chrome Extension has become a bit of a catch-all with the recent arrival of many different browsers based on the Chromium open-source project. It’s common-place now to find end-users installing Chromium extensions in Brave, Edge, or even Opera.
To that end, Kolide leverages all the great work done in Alessandro Gario of Trail of Bits in Osquery 4.7.0 to help you sort out which extensions belong to which browser, the enabled state of the extension, among other important details.
Check out the Google Chrome Inventory to peruse this new information.
#
Improved Inventory & Widget - macOS FileVault Status
I recently contributed an improvement to the disk_encryption table in Osquery that more clearly defines the difference between a encrypted disk and one that FileVault actually protects. At the same time, we also updated our built-in FileVault Check.
Now that these improvements are shipped in Osquery itself, we have updated our Disk Space widget and added the new column in Inventory.
You can see the new filevault_status
and related fields in the Storage Devices Inventory section.
As always, please do not hesitate to reach out with questions or feedback!