How to List /etc/hosts Entries Across All Mac, Windows, and Linux Devices
Using Kolide, you can easily view and query /etc/hosts Entries across your fleet.
The etc/hosts file is a routing mechanism used by devices to determine where network traffic should be routed to when encountering a given host. Modifications can be made to reroute traffic from one intended source to another, for example, to prevent communication with a given domain you could add a rule like:
This approach is sometimes utilized by malware authors to do things like hijacking a search provider. For example, malware might add an entry like:
This would reroute the browser when navigating to google.com to instead present the attacker's fake google search page, which they could then use for phishing attacks or obnoxious adware purposes.
By default the /etc/hosts file will have the following configurations:
127.0.0.1 localhost 127.0.1.1 hostname.fqdn.example.com # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost fe80::1%lo0 localhost
Windows: Empty (No entries)
What /etc/hosts Entry Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect /etc/hosts Entries from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
/etc/hosts Entries Schema
Unique identifier for the object
Device associated with the entry
Display name of the device associated with the entry
IP address mapping
Raw hosts mapping
Time the row of data was first collected in the database
Time the row of data was last changed in the database
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT device_name, hostnames, address FROM device_etc_hosts WHERE hostnames ILIKE '%hangouts.google.com%' OR hostnames ILIKE '%zoom.us%' OR hostnames ILIKE '%slack.com%'
SELECT device_name, CASE WHEN LENGTH(hostnames) > 63 THEN CONCAT(SUBSTRING(hostnames,1,64),'...') ELSE hostnames END AS hostnames_truncated, address FROM device_etc_hosts WHERE hostnames ILIKE '%adobe%'
Why Should I Collect /etc/hosts Entries?
Because the etc/hosts file can be utilized by malware to reroute intended web traffic to a malicious website, it is important for security teams to be able to review and audit modifications to the etc/hosts file on devices.
Etc/hosts can also indicate situations where software licensing activation is being bypassed which can be cause for concern due to the increased likelihood of fines by the software publisher, or infection with malware by the license cracking utility.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
Pirated software is sometimes packaged with utilities which modify the etc/hosts file to prevent communication with license validation tools and update services. The presence of certain entries in your etc/hosts file could indicate to an administrator if you are running pirated software.
For example if an entry like the following existed:
It would be a likely indicator that at some point your device had a pirated installation of an Adobe product, and their activation service was prevented from communicating with your device.
When you use Kolide to list /etc/hosts Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.