Zach Zeid
11/22/2021, 9:17 PMMystery Incorporated
11/23/2021, 2:13 AMgo version
I get go version go1.17.3 linux/arm64
so go is definitely existing. This only happened as of v4.6.1Ted Dorosheff
11/23/2021, 1:35 PMconfig:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
overrides:
platforms:
windows:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
file_paths:
users:
- C:\users\AppData\Roaming
- C:\users\AppData\Local
- C:\users\AppData\Local\temp
- C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
- C:\Users\Default
windows:
- C:\Windows
- C:\Windows\temp
- C:\Windows\system32\Drivers
- C:\Windows\SysWOW64\Drivers
- C:\Windows\system32\GroupPolicy\Machine\Scripts
- C:\Windows\system32\GroupPolicy\User\Scripts
- C:\Windows\system32\Wbem
- C:\Windows\SysWOW64\Wbem
- C:\Windows\system32\WindowsPowerShell
- C:\Windows\SysWOW64\WindowsPowerShell
- C:\Windows\Tasks
- C:\Windows\system32\Tasks
- C:\Windows\AppPatch\Custom%
ProgramData:
- C:\ProgramData\Microsoft\Windows\Start Menu
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs
exclude_paths:
windows:
- C:\Windows\system32\DriverStore\Temp\%
- C:\Windows\system32\wbem\Performance%
- C:\$WINDOWS.~BT\Sources\%
- C:\Windows\Installer\%
- C:\Windows\System32\Tasks\Adobe Acrobat Update Task%
- C:\Windows\System32\Tasks\Adobe Flash Player Updater%
- C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask%
and then after i hit submit, this is what the editor shows me
config:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
overrides:
platforms:
windows:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
users:
- 'C:\users\AppData\Roaming'
- 'C:\users\AppData\Local'
- 'C:\users\AppData\Local\temp'
- >-
C:\users\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
- 'C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs'
- 'C:\Users\Default'
windows:
- 'C:\Windows'
- 'C:\Windows\temp'
- 'C:\Windows\system32\Drivers'
- 'C:\Windows\SysWOW64\Drivers'
- 'C:\Windows\system32\GroupPolicy\Machine\Scripts'
- 'C:\Windows\system32\GroupPolicy\User\Scripts'
- 'C:\Windows\system32\Wbem'
- 'C:\Windows\SysWOW64\Wbem'
- 'C:\Windows\system32\WindowsPowerShell'
- 'C:\Windows\SysWOW64\WindowsPowerShell'
- 'C:\Windows\Tasks'
- 'C:\Windows\system32\Tasks'
- 'C:\Windows\AppPatch\Custom%'
ProgramData:
- 'C:\ProgramData\Microsoft\Windows\Start Menu'
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs'
exclude_paths:
windows:
- 'C:\Windows\system32\DriverStore\Temp\%'
- 'C:\Windows\system32\wbem\Performance%'
- 'C:\$WINDOWS.~BT\Sources\%'
- 'C:\Windows\Installer\%'
- 'C:\Windows\System32\Tasks\Adobe Acrobat Update Task%'
- 'C:\Windows\System32\Tasks\Adobe Flash Player Updater%'
- >-
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask%
defensivedepth
11/23/2021, 1:38 PMauthconfig 6.2.8
. 3rd screencap shows that it was installed with the package authconfig-6.2.8-30.el7.src.rpm
The changelog for that package can be found here: https://centos.pkgs.org/7/centos-x86_64/authconfig-6.2.8-30.el7.x86_64.rpm.html, in which we see the referenced vuln was fixed in package 6.2.8-26
which means that this finding is a false positive.
This is a common occurrence for those 1763 vulnerabilities.SK
11/23/2021, 3:12 PM{"component":"crons","cron":"webhooks","details":"posting to <http://url>: Post \"<http://url>\": EOF","err":"triggering host status webhook","level":"error","ts":"2021-11-23T14:52:36.704843335Z"}
user
11/23/2021, 4:49 PMSaulo Guilhermino
11/23/2021, 5:19 PMTomas Touceda
11/24/2021, 2:25 PMRyan
11/24/2021, 2:47 PMLuis Teles
11/24/2021, 2:55 PMSlackbot
11/25/2021, 12:29 PMRafael
11/25/2021, 2:36 PMStephan
11/29/2021, 4:36 AMHas not run
Fleet 4.6.1
Osquery 4.0.1
I1128 20:27:36.493018 16757 scheduler.cpp:105] Executing scheduled query pack/system/cron-4171cea29024861e32427af268f8219ba91a5a85/crontab-4171cea29024861e32427af268f8219ba91a5a85
abraham linkolan
11/29/2021, 12:38 PMLuis Teles
11/29/2021, 12:50 PMArtem
11/29/2021, 3:06 PMfleetctl vulnerability-data-stream --dir /opt/vulnerability/
Leonoor S
11/30/2021, 10:25 AMLuis Teles
11/30/2021, 11:12 AMjby
12/01/2021, 10:53 AMMystery Incorporated
12/02/2021, 5:07 AMTed Dorosheff
12/02/2021, 5:58 PMSELECT action, category, old_path, path, file_attributes, time FROM ntfs_journal_events;
my agent config
config:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
overrides:
platforms:
windows:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
users:
- 'C:\users\AppData\Roaming'
- 'C:\users\AppData\Local'
- 'C:\users\AppData\Local\temp'
- >-
C:\users\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
- 'C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs'
- 'C:\Users\Default'
windows:
- 'C:\Windows'
- 'C:\Windows\temp'
- 'C:\Windows\system32\Drivers'
- 'C:\Windows\SysWOW64\Drivers'
- 'C:\Windows\system32\GroupPolicy\Machine\Scripts'
- 'C:\Windows\system32\GroupPolicy\User\Scripts'
- 'C:\Windows\system32\Wbem'
- 'C:\Windows\SysWOW64\Wbem'
- 'C:\Windows\system32\WindowsPowerShell'
- 'C:\Windows\SysWOW64\WindowsPowerShell'
- 'C:\Windows\Tasks'
- 'C:\Windows\system32\Tasks'
- 'C:\Windows\AppPatch\Custom%'
ProgramData:
- 'C:\ProgramData\Microsoft\Windows\Start Menu'
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs'
exclude_paths:
windows:
- 'C:\Windows\system32\DriverStore\Temp\%'
- 'C:\Windows\system32\wbem\Performance%'
- 'C:\$WINDOWS.~BT\Sources\%'
- 'C:\Windows\Installer\%'
- 'C:\Windows\System32\Tasks\Adobe Acrobat Update Task%'
- 'C:\Windows\System32\Tasks\Adobe Flash Player Updater%'
- >-
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask%
@Mystery Incorporated helped with this before, if you could just give me another look that would be much appreciated. I'm really lost.user
12/02/2021, 7:58 PMTor Houghton
12/03/2021, 12:52 PMTor Houghton
12/04/2021, 12:17 AMTor Houghton
12/04/2021, 12:18 AMFlngen Flugen
12/04/2021, 1:45 PMTor Houghton
12/04/2021, 10:22 PMkoo
12/06/2021, 10:21 AMLuis Teles
12/07/2021, 3:40 PMwtheaker
12/07/2021, 7:27 PM