@seph are you doing something with the repo you created for releases? https://github.com/osquery/packaging-tools

There was a request for that a while back (to have it be INFO), I think from doorman to log the queries being run on someone’s host so they could personally audit it

Also, should we push 4.2.0 to the Linux repos? Seems like a good day to do so

I also saw a few 500s when browsing around other repos

Have you already removed it?

Yeah, I assume this got accidentally enabled. NBD, it’s only my typo PR that’s rebuilding. TBH it’s probably fine to just turn it off. the merge conflict stuff is usually good enough

Though, reading the implementation… 1. I’m not convicned the database files should be writable by the osquery group 2. umask in the init script feels weird. Can we do this in the code?

Are there any plans to bring

process_file_events

and

socket_events

to macOS and Windows?

@sundsta for process_file_events on Windows, take a look at this article: https://twitter.com/trailofbits/status/1239509917196865537

Today CI triggers work again

Was there any more discussion around how to monitor performance on non scheduled queries? Ref: https://github.com/osquery/osquery/issues/6111

to better debug this I think you want to move the

fd.hasSafePermissions()

call here: https://github.com/osquery/osquery/blob/a9770451c527eba4cf321fe23c5306beff6ac20b/osquery/filesystem/filesystem.cpp#L527 outside the if, store the status and print

status.getMessage()

in VLOG(), because the function returns a message with the failure case, but it's currently ignored

mmm the checklist says otherwise (we should correct it if so), though for a test package I think it can be ok if it's not tagged, the SHA is not embedded somewhere and the tag itself doesn't change anything in the build afaik

Can we merge https://github.com/osquery/osquery/pull/6378 before tagging?

as long as we’re asking for merges, can I get an official review on https://github.com/osquery/osquery/pull/6352? Not sure why the linux builds aren’t working either 🤷‍♂️

I know. I find that checklist to be incomplete, and because I wanted richer notes than really fit in a checklist, I made that gist. It expanded on one from Teddy. I should probably check it all in somewhere

And here's the changelog, took indeed a while to do, but lots of good stuff: https://github.com/osquery/osquery/pull/6387 Feel free to request moving things around/rewording 😄.

@theopolis, @seph About the release packages for 4.3.0: I'm not sure I understood what procedure we want to follow. I have access to all the platforms to prepares some packages pre-tag to be tested, do you want me to?

@theopolis Here are the packages to sign, I've also corrected the package names of the debug ones, like we normally do, and added the tar.gz.

Hey gang, as promised here's the windows packages, I currently have the MSI running locally, but I'd really appreciate someone with a remote TLS setup doing a more thorough testing of the binary as I don't have a good way to test the full flow.

I’ve notarized the mac package at https://pkg.osquery.io/darwin/osquery-4.3.0.pkg

It seems like the watchdog logic continues to cause unexpected behavior from a high level “how this this all work” perspective. Thoughts on disabling it by default and at the same time emitting a warning that it is off with a link to how to turn it on (a flag) and the implications?

Hey Gang, wanted to give y'all a heads up, and really sorry this is coming so late. I meant to do this two office hours ago but didn't get a good chance to, and missed last due to a meeting conflict. I've left Facebook and am now at Apple. I've spoken with my manager about my role in this community, and the impression I've gotten is that I'm ok to still take part on the council, at least from an advisory capacity, however I wont be able to contribute code back to the project for the moment. I still intend to ship my remaining PRs that I've got inflight as these started well before my time at Apple, but I'll need to sort things out internally before I can contribute again. Sorry for not bringing this up earlier, I'd still like to be as involved with the community as possible, and I'm happy to talk about this at the next OH, but I wanted to make sure I dropped a note to TSC and let y'all know as I feel I should've brought this up earlier.

hey everyone, I posed a question over in #windows but i think it might be better suited for this channel: https://osquery.slack.com/archives/C0FHNQ2N6/p1589387839132000

@Stefano Bonicatti I am working on a new table that uses a macOS API that only returns data for the current user only. If osquery is running as a daemon, the current user is usually root, which causes the returned data to not be useful. So what I was thinking of doing was when I need to run my code, to fork the osquery process, then in the new process drop privileges into the specified user from the query context, run the query, and then use some kind of IPC mechanism to get the data back to the parent osquery process and then kill the child. It seems https://github.com/osquery/osquery/pull/6209 does some similar things. Do you think copying these patterns is the way to go or is there a better way in your opinion to accomplish the above?

@groob @alessandrogario

1. Whether the EndpointSecurity Client must be a system extension?

My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.

What's everyone's feeling on setting a date for https://github.com/osquery/osquery/milestone/49 ?

We updated terminology to allow|deny list. That landed in 3 PRs. I opted to combine that into 1 changelog, since I think it’s more meaningful to read

Update language to use 'allow list' and 'deny list'

, than the details spread over 3 PRs.

I would think that the idea is to support both the "quick glance to see if it's worth updating" and also "let's look if my specific issue has been fixed"

Hi Shan, welcome, heads up please do not post/link the same question into multiple channels. Please be mindful that asking questions on the weekend might not get engagement quickly -- and if you are not getting a response after several days consider asking your question again with more details.