Osctrl was originally released, as a performant TLS endpoint for osquery, with an initial set of features, such as modular components or file carving.

In the last year, there have been numerous releases, from 0.1.0 to 0.2.3, implementing additional features, bug fixes and all in all aiming at making it more efficient, reliable and user friendly.

Some time ago, a new component, the osctrl-api, was added with the intention of enabling the integration of osctrl with other systems, therefore allowing engineering teams to expand its functionality, which is sometimes not even in the original scope of the project.

Diagram of osctrl with the newly added api component

The initial implementation of osctrl-api followed the principles described in the great document written by Wim Remes from WireSecurity: the API Maturity Model. The focus of this tool is not only for the attention of security professionals but also to be used by development teams to ensure they are developing their own APIs with security in mind.

The osctrl-api component was critical to enable integration with other tools such as goquery, which was built independently by its own creators, yet then able to utilize the data and capabilities of osctrl.

Using goquery to query osctrl nodes

Very often security products do not realize the upside of offering flexible and powerful APIs. For instance, those empower security engineering teams to build tooling around their products. The perception goes from snake-oil-vendor as ‘I know nothing about how it works, but it works…sometimes’, to something that can be integrated with other solutions and systems.

Automation is one of the main objectives when building an api, which is not something that only Security engineering teams can benefit from. After all, operations teams can also utilize the visibility and monitoring that osctrl and osquery offers!

Automation is key

There is a lot of additional work left to be done for osctrl-api. More functionalities must be added and all in all, there is always room to improve its capabilities to enable even more integrations. And last but not least, documenting it all properly!

If you want more information about osctrl, visit https://osctrl.net or https://github.com/jmpsec/osctrl

Also find us in the #osctrl channel in the official osquery Slack community (Request an auto-invite!)

JMP Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store