general
  • Hugh (Zercurity)

    Hugh (Zercurity)

    11/22/2022, 3:54 PM
    @Brandon Mesa pretty much. The only major issue is apple signing and notarization and if you want to sign windows packages correctly there's a whole process you need to go through. However, re-packaging and deploying on a corporate network is pretty straight forward.
  • Hugh (Zercurity)

    Hugh (Zercurity)

    11/22/2022, 3:55 PM
    https://zercurity.medium.com/building-packages-on-aws-lambda-c820ffea24a this is a post I wrote on how we package on Osuqery
  • j

    Jarod Reyes

    11/22/2022, 6:37 PM
    👋
  • w

    wennan.he

    11/22/2022, 8:59 PM
    Hi osquery team, any update for https://osquery.slack.com/archives/C08V7KTJB/p1668809882785799, and i would like to know if we want to setup mem restriction with min/max threshold, what is the expected val?
  • w

    wennan.he

    11/23/2022, 12:40 AM
    Hi osquery team, does the explanation shown below mean osqueryd is only allocated with 200 mb if don't set --watchdog_memory_limit?
  • n

    Nhat Truong

    11/24/2022, 6:27 AM
    Hello, i'm setup a fleet-server with docker compose. I be stucked at error
    fleet-sv    | {"component":"redis","level":"info","mode":"standalone","ts":"2022-11-24T06:25:47.483252226Z"}
    fleet-sv    | Failed to start: initializing osquery logging: create filesystem status logger: perm check: open /logs/osqueryd.status.log: permission denied
  • n

    Nhat Truong

    11/24/2022, 6:28 AM
    can i do next, please?
  • n

    Nhat Truong

    11/24/2022, 6:28 AM
    my docker-compose
    volumes:
          - ./osquery:/fleet/
          - ./logs:/logs/
          - ./vulndb:/vulndb/
  • j

    Jshi

    11/24/2022, 9:15 AM
    I get error when build in MacOS, can anybody know how to fix this? [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/feature_vectors.cpp.o/Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity.cpp:102:35: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity.cpp.o] Error 1 make[2]: * Waiting for unfinished jobs.... [ 52%] Building CXX object osquery/tables/utility/CMakeFiles/osquery_tables_utility_utilitytable.dir/file.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInstanceExportTaskResponse.cpp.o [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/file_paths.cpp.o [ 52%] Building CXX object osquery/carver/CMakeFiles/osquery_carver.dir/carver.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInternetGatewayRequest.cpp.o/Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity_fim.cpp:160:35: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity_fim.cpp.o] Error 1 make[1]: * [osquery/events/CMakeFiles/osquery_events.dir/all] Error 2 make[1]: * Waiting for unfinished jobs....
  • w

    wennan.he

    11/25/2022, 4:33 AM
    Hi osquery team, does osquery generate any processes in any case?
  • n

    Nick Leffler

    11/25/2022, 9:11 PM
    Thanks for the awesome software. For install osquery I ended up creating a new systemd unit with the switches mentioned in the documentaion. I was curious if that was required or if running the command first does the normal systemd unit take those options. Also if that a no and I need to keep my custom systemd unit to I need to keep the
    enroll_secret_path
    switch or does it only require the key to be sent the first time
  • n

    Nick Leffler

    11/25/2022, 10:41 PM
    Nevermind on my question. I learned about orbit. Makes it much easier.
  • s

    Subash Rajaa

    11/28/2022, 6:14 AM
    Team, I want to open a PR for the issue https://github.com/osquery/osquery/issues/7802, need push access for user "srajaa"
  • s

    Subash Rajaa

    11/28/2022, 6:14 AM
    C:\Source\osquery>git push --set-upstream origin1 fflush-consolebuufer-ungraceful-exit remote: Permission to osquery/osquery.git denied to srajaa. fatal: unable to access 'https://github.com/osquery/osquery.git/': The requested URL returned error: 403
  • Stefano Bonicatti

    Stefano Bonicatti

    11/28/2022, 8:38 AM
    Hello @Subash Rajaa, you should be forking the osquery repository, commit your work in a separate branch (not master) on your own repository, and then you can open a PR in the upstream repository, which points to your branch.
  • a

    allister

    11/28/2022, 2:36 PM
    Is anyone aware/looking into auditing what appears to be a new filesystem manifestation of firefox addons that put bundles on the Mac like
    /Users/USER/Library/Application Support/Firefox/Profiles/k5wvl3gs.default-release/storage/default/https+++totp.app
    ?
  • a

    allister

    11/28/2022, 2:42 PM
    I'm seeing literally hundreds of these paths, sometimes dozens per user with the same e.g.
    <http://csb.app|csb.app>
    end to the path with a hash-looking random 6 character prefix on the basename, e.g.:
  • w

    wennan.he

    11/28/2022, 6:43 PM
    Hi osquery team, does osquery generate any processes in any case?
  • n

    Naufal Jamal

    11/30/2022, 6:48 PM
    hello osquery team, i have a question in setup.py file. The host where i am trying to deploy this doesn't have internet. while running
    sudo python setup.py install
    its contacting internet to fetch these packages and just gets stuck. these packages are already in the host. how do i avoid fetching these packages from outside? currently my install stops at
    Searching for argparse>=1.1
    Reading <https://pypi.python.org/simple/argparse/>
    install_requires=[
              "thrift>=0.10",
              "argparse>=1.1",
              "future",
          ],
  • p

    peanut butter

    11/30/2022, 6:48 PM
    I want to change the yara.cpp source code, and I want to use the curl library, and for that I need to include some libraries, and I'm new to cmake. so should add the libs to the cmake.txt yara folder or to the the main cmake.txt?
  • n

    Naufal Jamal

    11/30/2022, 10:06 PM
    hello could someone please help with this error
    >>> import osquery
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "build/bdist.linux-x86_64/egg/osquery/__init__.py", line 33, in <module>
      File "build/bdist.linux-x86_64/egg/osquery/config_plugin.py", line 16, in <module>
      File "build/bdist.linux-x86_64/egg/osquery/extensions/ttypes.py", line 9, in <module>
    ImportError: No module named thrift.Thrift
    >>>
  • s

    Sandeep

    12/01/2022, 1:25 AM
    Hello team, I am new to OSQuery, I wanted to check if there are OSQuery APIs which can be invoked from a .net application. I am looking to get the process performance metrics such as CPU/memory etc... using OSQuery via an existing .net application.
  • n

    Naufal Jamal

    12/01/2022, 11:43 AM
    facing this error. help appreciated
    (osqueryvenv) python3 ./osquery_lldp_extension.py --socket /export/home/njamal/.osquery/shell.em
    Traceback (most recent call last):
      File "./osquery_lldp_extension.py", line 25, in <module>
        @osquery.register_plugin
    AttributeError: module 'osquery' has no attribute 'register_plugin'
  • a

    Anoop K V

    12/02/2022, 10:37 AM
    Hi Team, We currently run Osquery 4.8.0 and planning for an upgrade. Wants to know the best stable build. We are looking to go for 5.5.1, any feedbacks here w.r.t 5.5.1?
  • Mo Zhu

    Mo Zhu

    12/02/2022, 6:47 PM
    Hey all, I saw that 5.6.0 released! will we update the schema on the site soon too? https://github.com/osquery/osquery-site/tree/source/src/data/osquery_schema_versions
  • k

    Kunal

    12/05/2022, 4:03 PM
    Hi, Is there a way I can query for file-modification events which also gives the name of the process (or pid) which modified it ? I want this on windows platform. Thanks
  • r

    Reza Kazemy

    12/05/2022, 4:41 PM
    Hi. How can I check if a password has been set for a system in windows or macOS client with osquery?? I would appreciate it if someone can help me find a related query.