I want to restrict the Windows 10 machines we use at school during break time. Students are breaking computers. Can Fleet manage devices? Example: The PC was forgotten to be turned on remotely, let me turn it off with Fleet.

Welcome!

GrepCaffeine

joined #general.

[osquery:master] 1 new commit by Zach Wasserman:

<https://github.com/osquery/osquery/commit/89ccf14ef01bb4ef0d618732082335df8f3015ad|89ccf14ef01bb4ef0d618732082335df8f3015ad>

Remove atom_packages table (#8181) - Zach Wasserman

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/e666542bef5f7be5dc4ce7ba4f344594726d38d9|e666542bef5f7be5dc4ce7ba4f344594726d38d9>

docs: Correct link to a PR in the 4.7.0 changelog (#8186) - Stefano Bonicatti

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/ac174deee3f7e902a7abc817c602550eada3c112|ac174deee3f7e902a7abc817c602550eada3c112>

ci: Correct job order (#8185) - Stefano Bonicatti

Welcome!

thinh nguyen

joined #general.

Hi everyone 👋 From linux/apt_sources.cpp the apt sources seem to be missing information from files with the

.sources

extension. Osquery is only collecting data from

/etc/apt/sources.list

and

/etc/apt/sources.list.d/%.list

. Is there a reason for that or am I missing something?

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/904409ebd7aa72397870c1cb8b861b78369ba994|904409ebd7aa72397870c1cb8b861b78369ba994>

process_open_sockets: Mark pid column as additional instead of index (#8191) - Stefano Bonicatti

Assuming i otherwise have eventing enabled, and can pull user_events and es_process_events and auditd is set up right… is there a reason socket_events might be completely unpopulated? (This is on macOS)

Unrelated question, does osquery pull in the full set of ES events?

Or just literally the process_event types… ie, not any of the notify types (like login/authorization?)

Hi guys, Need help for setup of osquery. We have got a problem with a huge traffic to our infra when our endpoint /api/v1/logger is failed for any reasons. Does it have settings or flags for controlling failed retries attempts? We got a 1.5Gbit/sec traffic from 5k machines just for 1 hour and this load was increasing. Thanks in advance.

Hi, I do not find anything in Osquery schema tables to get Windows User Rights Assignment applied on computers https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment . This is helpful to get users with debug privs/load drivers/allow batch run, .... Did I miss something ? Thank you !

Anyone actively using Binalyze/B!nalyze and making use of their OSQuery implementation? Trying to see if it there is much crossover with a fleet deployment thats mainly used for inventory. Only docs i could find were a list of query templates https://kb.binalyze.com/air/features/triage/triage-rule-templates/osquery-templates

Welcome!

Scott Bonar

joined #general.

Anyone know how to resolve this error when building osquery?

no template named 'unary_function' in namespace 'std'

Not sure if this is because of recent changes in osquery, dependencies, or macOS (I'm on a different machine from usual, this one is an M2 on macOS 14.1.1)

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/222991a15b4ae0a0fb919e4965603616536e1b0a|222991a15b4ae0a0fb919e4965603616536e1b0a>

build: Temporary workaround to build with XCode 15 (#8197) - Stefano Bonicatti

Welcome!

Predrag Tasevski

joined #general.

Hello!osquery does not work. Writes nothing to the log.Error reading config: Error parsing the config JSON C:\Program Files\osquery>osqueryi --verbose I1124 10:09:31.306763 3892 init.cpp:413] osquery initialized [version=5.10.2] I1124 10:09:31.322425 3892 dispatcher.cpp:78] Adding new service: UsersService (00000249448AF560) to thread: 7356 (00000249448E7170) in process 7376 I1124 10:09:31.322425 3892 dispatcher.cpp:78] Adding new service: GroupsService (00000249448AE790) to thread: 1948 (00000249448477B0) in process 7376 I1124 10:09:31.322425 3892 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: \Program Files\osquery\extensions.load I1124 10:09:31.337944 1948 groups_service.cpp:55] Groups cache initialized I1124 10:09:31.337944 7356 users_service.cpp:149] Users cache initialized I1124 10:09:31.337944 3892 dispatcher.cpp:78] Adding new service: ExtensionWatcher (00000249448175E0) to thread: 484 (00000249465D0800) in process 7376 I1124 10:09:31.353600 3892 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (00000249465F2E00) to thread: 7400 (00000249465D0580) in process 7376 I1124 10:09:31.353600 7400 interface.cpp:299] Extension manager service starting: \\.\pipe\shell.em I1124 10:09:31.369115 3892 auto_constructed_tables.cpp:99] Removing stale ATC entries E1124 10:09:31.369115 3892 config.cpp:879] updateSource failed to parse config, of source: \Program Files\osquery\osquery.conf and content: { // Configure the daemon below: "options": { // The log directory stores info, warning, and errors. // If the daemon uses the 'filesystem' logging retriever then the log_dir // will also contain the query results. "logger_path": "C:\Program Files\osquery\log", // Set 'disable_logging' to true to prevent writing any info, warning, error //logs. If a logging plugin is selected it will still write query results. "disable_logging": "false", // Splay the scheduled interval for queries. // This is very helpful to prevent system performance impact when scheduling // large numbers of queries that run a smaller or similar intervals. "schedule_splay_percent": "10", }, // Define a schedule of queries: "schedule": { // This is a simple example query that outputs basic system information. "system_info": { // The exact query to run. "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", // The interval in seconds to run this query, not an exact interval. "interval": 90 } }, // Decorators are normal queries that append data to every query. "decorators": { "load": [ "SELECT uuid AS host_uuid FROM system_info;", "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" ] }, // Add default osquery packs or install your own. // // There are several 'default' packs installed via // packages and/or Homebrew. // // Linux: /opt/osquery/share/osquery/packs // OS X: /var/osquery/packs // Homebrew: /usr/local/share/osquery/packs // make install: {PREFIX}/share/osquery/packs // "packs": { // "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf", // "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf", // "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf", // "osx-attacks": "/var/osquery/packs/osx-attacks.conf", // "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf", // "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", // "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf", // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf", // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf" }, // Provides feature vectors for osquery to leverage in simple statistical // analysis of results data. // // Currently this configuration is only used by Windows in the Powershell // Events table, wherein character_frequencies is a list of doubles // representing the aggregate occurrence of character values in Powershell // Scripts. A default configuration is provided which was adapted from // Lee Holmes cobbr project: // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6 // "feature_vectors": { "character_frequencies": [ 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.00045, 0.01798, 0.0, 0.03111, 0.00063, 0.00027, 0.0, 0.01336, 0.0133, 0.00128, 0.0027, 0.00655, 0.01932, 0.01917, 0.00432, 0.0045, 0.00316, 0.00245, 0.00133, 0.001029, 0.00114, 0.000869, 0.00067, 0.000759, 0.00061, 0.00483, 0.0023, 0.00185, 0.01342, 0.00196, 0.00035, 0.00092, 0.027875, 0.007465, 0.016265, 0.013995, 0.0490895, 0.00848, 0.00771, 0.00737, 0.025615, 0.001725, 0.002265, 0.017875, 0.016005, 0.02533, 0.025295, 0.014375, 0.00109, 0.02732, 0.02658, 0.037355, 0.011575, 0.00451, 0.005865, 0.003255, 0.005965, 0.00077, 0.00621, 0.00222, 0.0062, 0.0, 0.00538, 0.00122, 0.027875, 0.007465, 0.016265, 0.013995, 0.0490895, 0.00848, 0.00771, 0.00737, 0.025615, 0.001725, 0.002265, 0.017875, 0.016005, 0.02533, 0.025295, 0.014375, 0.00109, 0.02732, 0.02658, 0.037355, 0.011575, 0.00451, 0.005865, 0.003255, 0.005965, 0.00077, 0.00771, 0.002379, 0.00766, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0 ] } } I1124 10:09:31.665886 3892 init.cpp:762] Error reading config: Error parsing the config JSON I1124 10:09:31.665886 3892 loader.cpp:45] No experiments selected Using a virtual database. Need help, type '.help'

Hi, can I utilize fleet to do pxe boot and install OS? Thanks

passitive detect for process new-add or delete ? can osquery?

progress or file or socket

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/1028f32e80b33551af6937a30b1b287ea4971820|1028f32e80b33551af6937a30b1b287ea4971820>

file: Add Shortcut metadata parsing on Windows (#8143) - Stefano Bonicatti

Guys, How to get the OS update logs or to get alert when OS update initiate using Osquery?

Hi all, I’m trying to configure differential logs for the MacOS apps table. I want to see a log message whenever a new app is added and I don’t care about the initial event. My research tells me that I need to make use of the schedule counter. I’m telling my logging system to ignore all logs where

counter = 0

but I’m still seeing some hosts report every single app with

counter = 1

. Does anyone know why this is? The docs say

For initial query results that include all records counter will be "0", while initial results without all records (like event tables) will start at "1".

while initial results without all records (like event tables) will start at “1”

I don’t fully understand what this means but the apps table isn’t an event table so I don’t think it applies. It’s also not completely clear to me what the schedule epoch does - from what I understand this is an arbitrary static field I can set to any 64bit integer and it will stay the same unless I decide to change it? Thanks!

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/3e92fb2d0f5b00a4c58ff51c49832e7f001aeb96|3e92fb2d0f5b00a4c58ff51c49832e7f001aeb96>

ci: Fix Linux build (#8208) - Stefano Bonicatti

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/73599293ce79071f601dde4436f5e361172610c0|73599293ce79071f601dde4436f5e361172610c0>

ci: Update nvdlib to use the latest NVD APIs (#8207) - Stefano Bonicatti

👋 Hi everyone! I have installed fleet on ubuntu 22.04 , i can able to see dashboard however while i add host (client centos 7.9) , i am getting error . INF enroll failed, retrying error="enroll request: POST /api/fleet/orbit/enroll: Post \"https://fleet.mydomain:8080/api/fleet/orbit/enroll\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

How do I clear performance stats (user_time, average_memory, etc.) from

osquery_schedule

? I modified the

query

in my schedule (but the name remained the same), yet osquery is still reporting the old stats from the previous query. Is this intended? I expected the stats to reset if the actual query is now different. Relevant config:

"packs": {
        "Global": {
            "queries": {
                "Get JetBrains Plugins": {
                    "query": "select * from time;",
                    "interval": 3600,
                    "platform": "",
                    "version": "",
                    "snapshot": true
                }
            }
        },

Hi folks - anyone else having issues with the

brew

cask for osquery? Installs are working on macOS, but the symlink in /usr/local/bin (on 2021 MacBook Pro M1, macOS 14) points to an empty directory where it seems to expect osquery.app