We Have Updated Our FileVault Mac Check

Until today, Kolide has leveraged Osquery's disk_encryption table to report the Full Disk Encryption status of macOS in our check labeled "FileVault2 Primary Disk Encryption". 

However, we have discovered that Osquery considers the built-in SSD on M1 Macs and Macs with the T2 Secure Enclave to be "encrypted", even though their files can be trivially accessed by anyone with physical possession of the device without the user's password. Enabling FileVault is the only sure way to protect the data on your Mac.

Since our FileVault check was created to help our customer's ensure the data on their Macs are safe in the event the device is stolen, lost, or otherwise in the possession of an bad-actor, we have taken the following corrective actions:

  1. We have released a new version of our Kolide agent (0.11.17) which contains an accurate attestation about the status of FileVault
  2. We have updated our Check to utilize the new features of our agent.
  3. Since the latest release of Osquery is unable to obtain the status of FileVault, we have contributed our own patch for the benefit of the community.
  4. We have written an informative blog post about this situation to better educate Mac Admins who might be unfamiliar with the differences between Full Disk Encryption and FileVault on modern Macs.

We feel that these actions will better help not only Kolide customers, but anyone else who relies on Osquery for similar information.

As always, please let us know if you any follow-up questions or concerns.

Recently Discovered Evil Chrome Extensions

On December 16th, Threat Intelligence researches from Avast discovered several browser extensions that contained privacy invading malware. Read the press release here. 

In the press release, Avast summarizes the embedded malware's capabilities in the following paragraph.

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User’s privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user).

In response, Kolide has created a new Check called Evil Chrome Extension - Browser History Sniffer which detects all reported compromised Chrome extensions from the Avast report.  We suggest immediately enabling end-user notifications on this Check.

If users have one or more of any extensions, they will receive a notification that looks like the following:

If you have any questions or concerns about this check, please reach out to us at support@kolide.co or via the Intercom widget on the bottom-right corner of the Kolide  application.

For your convenience, below is a list of the Chrome Extension identifiers extracted from the links in the press release.


Kolide Side Dishes

At Kolide, we typically ship changes and improvements to the product multiple times a day. The vast majority of these changes are modest improvements not worthy of their own change-log post, but together, they can make a big difference.

While we are working on some 25-pound-turkey sized features we plan on announcing soon, we thought we'd let you dig into some of these side-dishes first! Enjoy.

UX Improvements

Tools Menu

Depending on your level of access to Kolide, you may notice a new item in the main navigation called "Tools". This menu now houses all of the useful features of the product that don't quite need top-billing, but also do not belong in the "settings" section of the website.

Speaking of tools, the "Reporting DB" feature listed here is a feature we are currently beta testing with a few customers. If you are interested in being able to programmatically access all of the data we collect about a device in inventory, and eventually build your own reports on that data with SQL, please reach out to us via Intercom or support@kolide.co and we'd be happy to include you in our next round of testers!

Log Pipeline

The biggest change here is Log Pipeline, a feature that allows you to unlock the full power of the osquery daemon we deploy in the Kolide agent. This feature is now easier to find and users with access to it can also access other related features like creating FIM categories, configuring osquery options, and setting up your own custom decorators! 

As users of the Log Pipeline ourselves, we think all these items living together is a much more intuitive experience. Let us know what you think!

Improved Context For Slack Notifications

When an end-user successfully fixes a failing check, Kolide shows them a congratulatory message. Sometimes though, depending on the timing of the message, or where the message appeared, there might be some confusion about what device this message is referencing.

After a customer pointed this out, we decided to add some additional context to these messages so it's always clear which device Kolide is congratulating you about!

Search By Device and Person ID

If you are a regular user of our API (or are just really good a remembering numbers you see in your browser's location bar), you may have tried to lookup a device or person by their Kolide generated ID in our global search bar. Starting today, searching for both devices or people by their ID will now function as you would expect!

Performance Improvements

Live Query

If you are a regular user of Live Query, you may have noticed that devices now return up to 10x faster after querying them, and present any informational warnings or errors without requiring a page reload! Kolide now better leverages websockets to deliver this information at a much faster pace.

Device CSV Exports

We had reports from several customers that exporting the list of devices via CSV could take a long time. After investigating the issue we were able to improve the speed of this export by over 100x!

Improved User To Device Association

We've made some changes to how we build custom package and optimized our initial device data population routines to improve the accuracy and the speed in which we are able to assign users to a device. Additionally, the file names we generate for the custom packages are also now much shorter!

API Changes

Based on a customer request, we've now added a product_image_url following field to the device API endpoint. In many cases (and in all cases on Apple products), this new field features the visage of the exact hardware model enrolled in Kolide. For those of you creating your own internal experiences, these device images can help give you and your end-users the confidence that they are viewing the right device.

Speaking of product images, we've also now added updated product images for all of the new M1 Macs released by Apple earlier this months, and we've changed many of the icons on the widgets featured in the device detail pages to match the changes in macOS Big Sur!

On the log pipeline side, we've also now added the remote_ip, device_owner_email, and device_owner_type, to the kolide_decorations object in the logs emitted by our product in the log pipeline. This will allow you to easily correlate device activity with specific individual for potential integrations with IDP and authentication services.

We at Kolide hope you are all having a safe, healthy, and joyful holiday season. As always, please reach out with suggestions and feedback. Many of the improvements here were generated from customers just like you!

New Linux Checks: Gnome Screenlock & Unsupported Ubuntu

Happy October everyone! 

As part of our commitment to improve Check support on Linux, Kolide is excited to announce the immediate availability of two new Checks for Linux systems.

The first is the Ubuntu OS Version Unsupported Check which uses Canonical's official Launchpad releases API to detect versions of Ubuntu that are no longer formally supported. An unsupported version of Ubuntu may not receive critical security patches, so it is important that end-users upgrade their OS right away. If Kolide detects a version of Ubuntu that is not considered "active" by Canonical, it will generate a failure.

The second check is Gnome Screenlock Disabled/Insecure. Like the Mac and Windows counterparts, this Check ensures that not only are the lock settings enabled, but that the screen will correctly sleep in a reasonable amount of time. Specifically, this Check ensures that:

  • The screen sleeps within 10 minutes or less of idle time
  • A password is required to resume using the device if the screen is off for 5 minutes or greater
  • Both the screenlock and sleep idle settings are correctly enabled

In the future, Kolide is hoping to expand the support of these Checks to other popular window managers and flavors of Linux. Keep your eyes peeled for future announcements. As always, if you have questions or feedback, please reach out!

Improved User Slack Messages

Kolide is excited to announce a significantly improved experience for end-user Slack messages. 

End-user messages are arguably the most important part of Kolide's platform. It's important that the messages are easy to understand and are highly actionable.

One area that needed improving was the experience of sending messages to a user with a lot of similar failures for the same Check. Before this change, Kolide would send a user separate messages for each failure, even if those failures had nearly identical resolution instructions.

This was not ideal for many reasons. First, most people did not realize they were sent multiple messages, and would only read the last one. Even if they did realize, they would have to interact with every message to resolve those failures. 

To change this, we wanted to design an experience that respected the user's time, and made fixing multiple similar failures as easy as possible. Let us walk you through how it works. 

Below is an example failure notification. Notice how Kolide has detected 2 unique failures on this device. Now when you click "More Info / Resolve"...

instead of getting two separate messages for each failures, you will now get a single Slack message that looks like the following:

Note that all of the actionable failures are listed at the end of the message with the ❗emoji/symbol.

Now, when a user clicks "I've fixed it. Check again" Kolide will recheck each failure listed at the end of the message and strikethrough the ones that the user has fixed.

Kolide has updated all of our message templates to accommodate for this new format. Of course, if you see anything not looking like it should, please let us know.

Bonus: Improved Escalation Message

While we implemented this new Slack message user experience, Kolide took the opportunity to improve how failure escalations to administrators are displayed in Slack.

Instead of simply showing the full failure message, we now have a compact notification that includes the most important details.

When you click on "Show Full Notification", we take advantage of Slack's new modal feature to display the full message the user was shown. This allows you to keep the channel nice and tidy for your other teammates.

We hope you enjoy these improvements. We have a lot more planned for the Slack app in the near future!

Improved Check: Windows Screen Lock Disabled/Insecure

This is a follow-up post to the announcement we made about the macOS Screen Lock Check. In that macOS Check we really dug deep into the spirit of what Screen Lock means beyond just ensuring the setting for the feature is enabled.

While we already had a Windows Screen Lock check, it wasn't nearly as thoughtfully put together as the macOS one. To rectify this, we have shipped a new replacement check called Windows Screen Lock Disabled / Insecure.

Like its macOS sibling, a Windows Device needs to meet the following conditions to pass.

  1. The "On resume, display logon screen" setting is checked under the Security and Privacy pane in the Screen Saver Settings panel OR the "When PC wakes up from sleep option" is selected in under the "Require sign-in" header in the "Sign-in options" section of Windows Settings
  2. Your system must either be configured to sleep or activate the screensaver after 15 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet.

This Check replaces the original check and has a new ID and URL. Don't worry though, we have ported over your tags and notification options to the new Check.

We encourage you to take a look at the new Check and enable notifications so that your users can better secure their devices.

New Inventory - Screenlock Configs

In addition, we have also exposed data about Windows Screenlock configurations in Inventory. You can find this Inventory item at: https://k2.kolide.com/x/inventory/windows_screenlock_configs

In this Inventory Item we expose the following columns:

  • Screensaver Lock Enabled - True if the 'On resume, display logon screen' option is checked under the Screen Saver Settings control panel.
  • User Screensaver Idle - The amount of time in seconds before the Screen Saver is initiated. This is controlled by the dropdown labeled: 'Wait: ... minutes minutes' on the Screen Saver Settings control panel.
  • Requires Password on Wake AC - True if the setting Require Sign-in dropdown is configured to 'When PC wakes up from sleep' in the Sign-In Options screen. By default this dropdown controls both AC and Battery settings but they can be different if configured manually via RegEdit or Group Policy.
  • Requires Password on Wake Battery - True if the setting Require Sign-in dropdown is configured to 'When PC wakes up from sleep' in the Sign-In Options screen. By default this dropdown controls both AC and Battery settings but they can be different if configured manually via RegEdit or Group Policy.
  • Max Device Sleep Idle - The worst-case scenario for how long the device can be left idle before the configured Power Plan will initiate device sleep (either on AC or Battery power)
  • Device Sleep Idle AC - The amount of time in seconds (or "Never") the computer must be idle while connected to power before it goes to sleep. Controlled by Power Plan Settings.
  • Display Sleep Idle Battery - The amount of time in seconds (or "Never") the computer must be idle while running on Battery power, before it goes to sleep. Controlled by Power Plan Settings.
  • Lid Close Action AC - Describes the behavior of mobile devices (laptops) when the physical lid is closed on AC power. Controlled by the Control Panel: 'Change what closing the lid does'. May be one of the following options: (Nothing, Sleep, Hibernate, Shutdown). 
  • Lid Close Action Battery - Describes the behavior of mobile devices (laptops) when the physical lid is closed on Battery power. Controlled by the Control Panel: 'Change what closing the lid does'. May be one of the following options: (Nothing, Sleep, Hibernate, Shutdown) 

As always, let us know if you have any questions, concerns or feedback about this Check!

New Check: Microsoft Windows OS Not Licensed

We are excited to announce another new check and companion Inventory section for Windows, called Microsoft Windows OS Not Licensed

This check looks for all any unlicensed versions of Microsoft Windows, from devices that have no product key entered, to devices that are failing Microsoft's Genuine advantage program.

While it's always a good idea to ensure your devices are running a licensed version of Windows, we didn't write this Check solely for compliance. Based on studies by experts, devices not running a genuine version of Windows are much more likely to be running other non-genuine or even pirated software, which drastically increases the likelihood the device may have a latent malware infection. In addition, non-licensed versions of Windows may have other issues, like an intentionally disabled Windows Update service.

For the reasons above, we highly recommend taking a look at this Check and ensuring your PCs are running a genuine version of Windows.

Additional Inventory - Microsoft Software Licenses

In addition to the Check above, we've shipped a companion Inventory section called Microsoft Software Licenses which enumerates the software license status for all in-scope Microsoft products on the system. In practice, this is usually just Microsoft Windows itself and Microsoft Office. 

Under the hood, this Inventory and related check uses Windows' SoftwareLicensing WMI class. We've taken extra care to translate the opaque error and status codes to english text, so you can easily understand why a license may not be fully activated or genuine. 

Please let us know if you have any questions, concerns, or suggestions about this new check and Inventory section. Your feedback is always appreciated! 

New Check: macOS Automatic Updates Improperly Configured

We are excited to announce the availability of a new K2 Check called "macOS Automatic Updates Improperly Configured"

This check is a companion to our macOS Missing Important Update check which only produces failures if the Mac has a security update downloaded/staged but not yet installed.

This new check goes a step further by ensuring that end-users have their Macs configured correctly to automatically keep them up to date. Specifically, this check queries the settings in the  System Preferences > Software Update > Advanced... modal. The check only passes if the device has all of the following settings enabled...

This check will also properly detect and pass if these settings are forced on using a managed profile.

While Apple and Kolide both highly recommend having all of these settings enabled, you may not want to use this check if any of the following situations apply:

  • Your organization uses Munki's Software Center to distribute macOS updates. In this case, many of these settings may be disabled, but critical macOS and App Store updates will still be downloaded.
  • You deploy an automated script that invokes the softwareupdate binary manually to check and automatically install updates.
  • You do not require your users to "automatically install" macOS or App Store updates and are fine with simply alerting them only if they are missing any important updates.

Related Inventory Items

There are several pieces of Inventory related to macOS Software Update you might find interesting.

  • Software Update Settings - Provides you with the settings from the System Preferences > Software Update > Advanced... button modal window, for every Mac in your fleet.
  • Software Updates Pending - Provides you with a list of downloaded, but not yet installed, updates on every Mac in your fleet.
  • Package Install History Items - Gives you a breakdown of all of the packages and updates installed by the system. This includes updates applied via the App Store, the Software Update tool, macOS background updates, and third-party packages.

Additional Reading

While writing this Check, we found that many of our customers had a misconception around the "Install system data files and security updates" option in the Software Update's advanced settings screen. Many thought this would automatically apply important macOS updates. In fact, the "security updates" part of setting only ensures certain built-in tools like XProtect, the Malware Removal Tool, and Gatekeeper receive updated definitions that are download and installed in the background. It will not automatically install security supplemental updates or patches to macOS itself.

You can read more about these background updates on Apple's support page.

New Check: Missing Device

There are occasions when an enrolled device might stop checking in to the Kolide application. These instances may include users uninstalling the agent, devices that are de-provisioned, or even technical difficulties that may prevent the agent from reporting data correctly.

In the past, the only way to find these MIA devices was by making clever use of the filters in Inventory to look for devices that have not been seen in 20 - 30 days. While this works, it also requires manual follow-up on a regular basis, and you cannot receive external notifications via the API or Slack when a device has gone missing. 

Today, we've shipped a new Check called Missing Device. This Check will enumerate all devices that have not checked in to Kolide in over 20 days. Like all of our Checks, this one is end-user notifiable, and can direct the user to troubleshooting steps they can use to re-install or repair the Kolide agent.

As a reminder, if you are Kolide administrator, you can visit the app's Device Privacy settings and configure the system to automatically delete devices and their corresponding data after 30 days of inactivity.

We hope this gives you and your team more visibility into the status of your devices. As always, let us know if you have any questions or suggested improvements regarding tracking the health of the agent.

New Check/Inventory: macOS Screenlock

At long last, we are excited to announce the most requested Check at Kolide–macOS Screenlock.

You can find this new check and configure notifications for it at https://k2.kolide.com/x/checks/75237/failures/open.

This check is comprehensive in that it not only checks if screenlock settings are configured correctly, it also ensures that the system will go to sleep or activate the screensaver after an appropriate amount of idle time.

To pass this Check on macOS, the following must be true:

  1. The require password after sleep or screensaver begins setting must be checked under the Security and Privacy pane in System Preferences
  2. The grace period dropdown next for this setting must be set to 5 minutes or less.
  3. Your system must either be configured to sleep or activate the screensaver after 10 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet. 

These passing states were carefully chosen after reviewing the Center for Internet Security macOS guidelines and interviewing many of our customers about what values they thought struck a good balance between security and device usability.

New Inventory - Screenlock Configs

In addition, we have also exposed data about macOS screenlock configurations in Inventory. You can find this Inventory item at https://k2.kolide.com/x/inventory/mac_screenlock_configs.

In this Inventory Item we expose the following columns:

  • Screenlock Enabled - true if the require password after sleep or screensaver begins setting is checked under the Security and Privacy pane in System Preferences.
  • Screenlock Grace Period - The amount of time in seconds (or "Immediately") the computer can be asleep or the screensaver activated before a password is required to unlock the computer.
  • Minimum Effective Idle - The amount of time in seconds the computer must be idle before it either sleeps or activates the screensaver.
  • Display Sleep Idle A/C - The amount of time in seconds (or "Never") the computer must be idle while connected to power before the screen turns off.
  • Display Sleep Idle Battery - The amount of time in seconds (or "Never") the computer must be idle while running on battery power before the screen turns off. 
  • Screensaver Idle - The amount of time in seconds (or "Never") the computer must be idle before activating the screensaver based on the end-user's desired preferences
  • Screensaver Idle Last Modified At - The exact time the user (or NULL) modified the screensaver idle time settings in the UI.
  • Screensaver Idle Managed - The amount of time in seconds (or NULL) the computer must be idle before activating the screensaver based on a managed preference set by an administrator.

The long journey getting this data.

If you are curious why this Check was challenging to create or are interested in how we reverse-engineered macOS to accurately gather this information (and how we open-sourced it as a new virtual table in osquery), I suggest reading our write-up on our blog at https://blog.kolide.com/checking-macos-screenlock-remotely-62ab056274f0.

As always, let us know if you have any questions, concerns or feedback about this Check!

Show Previous EntriesShow Previous Entries