The Secfix Agent is a tool created by Secfix that can be installed on your employees' computers to monitor security compliance. The agent is based on osquery, an open-source project maintained and vetted by the Linux Foundation.
The Secfix Agent is read-only which means it will not update anything on your devices. It has limited functionality to read data. Secfix deploys a modified version of osquery that doesn’t include tables that we find dangerous. Secfix does not read sensitive information like passwords, emails, or browsing history.
Secfix has selected a subset of the queries that osquery provides that are relevant for compliance monitoring. These queries are published to your machines from Secfix servers.
Secfix uses Docker Notary to distribute binaries, which is the same technology that secures Docker Hub. An unauthorized update would require physical and logical access to multiple independent systems. To further decrease the likelihood of such an attack, Secfix takes precautions like requiring disk encryption and MFA access to third-party services.
The major components of the Secfix Agent infrastructure have been penetration tested by the NCC group:
FAQ
Can Secfix Agent’s osquery read passwords and credentials saved in shell (environment variables)?
Our agent is a lightweight version of osquery. With current queries that we have implemented, we cannot query anything but the following controls: Operating System version, Operating System type, hard drive encryption, screensaver locking, antivirus software, password manager, list of applications, packages installed on the PC, and list of browser extensions.
If your employees are skeptical about using an osquery daemon because they think it might read the credentials from their shell:
Temporary variables: osquery daemon can't have access on all shell sessions, so if they temporarily set credentials on some shell session env vars, then osquery can't have access to them.
Permanent variables: if your employees store credentials as permanent environment variables in their shell and it's the reason behind not-using the agent, it's a red flag in your Secure Development controls and potential non-conformity of your compliance. If their PC gets hacked, it's a low-hanging fruit to get access to your credentials. That's why it's also important for remote employees using private laptops for development to work in a secure way, not only for employees in your office.
🚨 It's considered a poor information security practice to store passwords as a permanent environment variable in shell or any config file. (except if passwords are encrypted before they are stored). Passwords should be stored in vaults, better in a Password Manager, similar to how it is suggested in your password policy.
How does Secfix protect a started osquery process from 3rd party access?
Secfix is ISO 27001 compliant and has implemented over 120 security controls. Here are the most important controls securing our agents:
Secfix agent is an osquery daemon that communicates with the fleet server. Only one-way communication from osquery daemon to our fleet server is possible. Thus, no one externally can access the osquery daemon
Our fleet server URL is passed to our agent and to osquery daemon, at the time we build the installer for the agent
Before any communication with fleet server, the osquery daemon, has to enroll with our fleet server, using the enrolment token that we pass at the time we generate the installer for the agent
All communication with fleet server is encrypted using SSL TLS DV SHA256
All agents builds are created, built, and verified by Apple and Microsoft certificates directly. We are a verified Development Partner of Apple and Microsoft.
Our critical infrastructure accesses are secured with MFA
Some employees are using private laptops and they don’t want to install the Agent on their devices. What should I do?
There are 3 options that you can do in case an employee is using their personal device and doesn’t want to install the agent:
Option 1: Implement a Mobile Device Management Solution
The Secfix Agent has READ ONLY access, which means it will not change anything on your machines. It is based on osquery, which is great and secure. The alternative is to buy a Mobile Device Management (MDM) solution like Jamf or Jumpcloud. Though, osquery is in fact much better at collecting "evidence" than most MDM tools are. Usually, almost every MDM tool is missing at least one query and you’ll need to do part of the monitoring manually. This defeats the purpose of using the agent and reduces automation.
Option 2: Enforce it in your BYOD Policy
You should enforce it in your BYOD policy (see: POL-04 Information Security & Acceptable Use Policy) because the company is allowed to require it. If they want to use their own device, they also need to understand that they will be able to access company data. For that, there are security measures they should follow (like antivirus installation, hard disk encryption, etc.).
If they are still against it, they should just generally not use a personal device at work. They only put the company in danger with it. Providing them with a company device will avoid all of this.
Option 3: Track the endpoint security evidence manually on a regular basis
If it is only 1 or 2 employees, you can still track it manually. They need to consent that they will send you evidence at least per month of the following policies: Antivirus is installed, Password Manager is installed, Screenlock is enabled and HD is encrypted. But be aware that this option is not recommended because you need to trust that the employee is really implementing all of this and if you grow to 100 or 200 employees, it will get more difficult to track this.