Osquery | General

Channels

general

Hugh (Zercurity)
11/22/2022, 3:54 PM
@Brandon Mesa pretty much. The only major issue is apple signing and notarization and if you want to sign windows packages correctly there's a whole process you need to go through. However, re-packaging and deploying on a corporate network is pretty straight forward.
b
s
6 replies · 3 participants
Hugh (Zercurity)
11/22/2022, 3:55 PM
https://zercurity.medium.com/building-packages-on-aws-lambda-c820ffea24a this is a post I wrote on how we package on Osuqery
j
Jarod Reyes
11/22/2022, 6:37 PM
👋
w
wennan.he
11/22/2022, 8:59 PM
Hi osquery team, any update for https://osquery.slack.com/archives/C08V7KTJB/p1668809882785799, and i would like to know if we want to setup mem restriction with min/max threshold, what is the expected val?
w
wennan.he
11/23/2022, 12:40 AM
Hi osquery team, does the explanation shown below mean osqueryd is only allocated with 200 mb if don't set --watchdog_memory_limit?
1 reply · 2 participants

Nhat Truong

11/24/2022, 6:27 AM

Hello, i'm setup a fleet-server with docker compose. I be stucked at error

fleet-sv    | {"component":"redis","level":"info","mode":"standalone","ts":"2022-11-24T06:25:47.483252226Z"}
fleet-sv    | Failed to start: initializing osquery logging: create filesystem status logger: perm check: open /logs/osqueryd.status.log: permission denied

1 reply · 2 participants

n
Nhat Truong
11/24/2022, 6:28 AM
can i do next, please?

Nhat Truong

11/24/2022, 6:28 AM

my docker-compose

volumes:
      - ./osquery:/fleet/
      - ./logs:/logs/
      - ./vulndb:/vulndb/

j
Jshi
11/24/2022, 9:15 AM
I get error when build in MacOS, can anybody know how to fix this? [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/feature_vectors.cpp.o/Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity.cpp:102:35: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity.cpp.o] Error 1 make[2]: * Waiting for unfinished jobs.... [ 52%] Building CXX object osquery/tables/utility/CMakeFiles/osquery_tables_utility_utilitytable.dir/file.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInstanceExportTaskResponse.cpp.o [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/file_paths.cpp.o [ 52%] Building CXX object osquery/carver/CMakeFiles/osquery_carver.dir/carver.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInternetGatewayRequest.cpp.o/Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity_fim.cpp:160:35: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity_fim.cpp.o] Error 1 make[1]: * [osquery/events/CMakeFiles/osquery_events.dir/all] Error 2 make[1]: * Waiting for unfinished jobs....
s
11 replies · 2 participants
w
wennan.he
11/25/2022, 4:33 AM
Hi osquery team, does osquery generate any processes in any case?
1 reply · 2 participants
n
Nick Leffler
11/25/2022, 9:11 PM
Thanks for the awesome software. For install osquery I ended up creating a new systemd unit with the switches mentioned in the documentaion. I was curious if that was required or if running the command first does the normal systemd unit take those options. Also if that a no and I need to keep my custom systemd unit to I need to keep the
enroll_secret_path
switch or does it only require the key to be sent the first time
s
1 reply · 2 participants
n
Nick Leffler
11/25/2022, 10:41 PM
Nevermind on my question. I learned about orbit. Makes it much easier.
s
Subash Rajaa
11/28/2022, 6:14 AM
Team, I want to open a PR for the issue https://github.com/osquery/osquery/issues/7802, need push access for user "srajaa"
s
Subash Rajaa
11/28/2022, 6:14 AM
C:\Source\osquery>git push --set-upstream origin1 fflush-consolebuufer-ungraceful-exit remote: Permission to osquery/osquery.git denied to srajaa. fatal: unable to access 'https://github.com/osquery/osquery.git/': The requested URL returned error: 403
Stefano Bonicatti
11/28/2022, 8:38 AM
Hello @Subash Rajaa, you should be forking the osquery repository, commit your work in a separate branch (not master) on your own repository, and then you can open a PR in the upstream repository, which points to your branch.
s
21 replies · 2 participants
a
allister
11/28/2022, 2:36 PM
Is anyone aware/looking into auditing what appears to be a new filesystem manifestation of firefox addons that put bundles on the Mac like
/Users/USER/Library/Application Support/Firefox/Profiles/k5wvl3gs.default-release/storage/default/https+++totp.app
?
a
allister
11/28/2022, 2:42 PM
I'm seeing literally hundreds of these paths, sometimes dozens per user with the same e.g.
<http://csb.app|csb.app>
end to the path with a hash-looking random 6 character prefix on the basename, e.g.:
w
wennan.he
11/28/2022, 6:43 PM
Hi osquery team, does osquery generate any processes in any case?
j
19 replies · 3 participants
n
Naufal Jamal
11/30/2022, 6:48 PM
hello osquery team, i have a question in setup.py file. The host where i am trying to deploy this doesn't have internet. while running
sudo python setup.py install
its contacting internet to fetch these packages and just gets stuck. these packages are already in the host. how do i avoid fetching these packages from outside? currently my install stops at
Searching for argparse>=1.1 Reading <https://pypi.python.org/simple/argparse/>

install_requires=[ "thrift>=0.10", "argparse>=1.1", "future", ],
p
peanut butter
11/30/2022, 6:48 PM
I want to change the yara.cpp source code, and I want to use the curl library, and for that I need to include some libraries, and I'm new to cmake. so should add the libs to the cmake.txt yara folder or to the the main cmake.txt?

Naufal Jamal

11/30/2022, 10:06 PM

hello could someone please help with this error

>>> import osquery
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "build/bdist.linux-x86_64/egg/osquery/__init__.py", line 33, in <module>
  File "build/bdist.linux-x86_64/egg/osquery/config_plugin.py", line 16, in <module>
  File "build/bdist.linux-x86_64/egg/osquery/extensions/ttypes.py", line 9, in <module>
ImportError: No module named thrift.Thrift
>>>

s
Sandeep
12/01/2022, 1:25 AM
Hello team, I am new to OSQuery, I wanted to check if there are OSQuery APIs which can be invoked from a .net application. I am looking to get the process performance metrics such as CPU/memory etc... using OSQuery via an existing .net application.

Naufal Jamal

12/01/2022, 11:43 AM

facing this error. help appreciated

(osqueryvenv) python3 ./osquery_lldp_extension.py --socket /export/home/njamal/.osquery/shell.em
Traceback (most recent call last):
  File "./osquery_lldp_extension.py", line 25, in <module>
    @osquery.register_plugin
AttributeError: module 'osquery' has no attribute 'register_plugin'

a
Anoop K V
12/02/2022, 10:37 AM
Hi Team, We currently run Osquery 4.8.0 and planning for an upgrade. Wants to know the best stable build. We are looking to go for 5.5.1, any feedbacks here w.r.t 5.5.1?
2 replies · 2 participants
Mo Zhu
12/02/2022, 6:47 PM
Hey all, I saw that 5.6.0 released! will we update the schema on the site soon too? https://github.com/osquery/osquery-site/tree/source/src/data/osquery_schema_versions
1 reply · 2 participants
k
Kunal
12/05/2022, 4:03 PM
Hi, Is there a way I can query for file-modification events which also gives the name of the process (or pid) which modified it ? I want this on windows platform. Thanks
r
Reza Kazemy
12/05/2022, 4:41 PM
Hi. How can I check if a password has been set for a system in windows or macOS client with osquery?? I would appreciate it if someone can help me find a related query.
3 replies · 2 participants