osquery #general

Devesh

05/23/2023, 11:16 AM

Hello Comunity! Bug report What operating system and version are you using? NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.2 LTS (Jammy Jellyfish)" +-------------------------------+-------+----------+ | version | build | platform | +-------------------------------+-------+----------+ | 22.04.2 LTS (Jammy Jellyfish) | | ubuntu | +-------------------------------+-------+----------+ What version of osquery are you using? +---------+ | version | +---------+ | 5.0.1.1 | +---------+ What steps did you take to reproduce the issue? SELECT * from bpf_process_events where parent = 0; This is been seen for bpf_process_events and bpf_socket_events also in processes table parent = 0 is never seen. What did you expect to see? expected to see o rows for the query SELECT * from bpf_process_events where parent = 0; Even if osquery will update it's parent later I'm getting parent 0 in osqyeryd aswell! Expected to see any parent_pid except 0 in the bpf_process_events. What did you see instead? Parent as 0 for many rows.

Devesh

05/23/2023, 11:27 AM

also in processes table for windows OS parent = 0 or parent =1 is never seen.

github

05/23/2023, 4:17 PM

[osquery:master] 1 new commit by Jeremy Beker:

<https://github.com/osquery/osquery/commit/2c34a22c33d75e838f34e8c26948abc4adea8add|2c34a22>

Add Apple RSR fields to

os_version

using native API (#8011) - Jeremy Beker

github

05/23/2023, 5:20 PM

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/66ee62b970ab7849fbbdedc9e944d6a4f176bb53|66ee62b>

Do not consider a 404 as an error in ec2-instance-metadata (#8025) - Stefano Bonicatti

github

05/23/2023, 5:28 PM

[osquery:master] 1 new commit by Marcos Oviedo:

<https://github.com/osquery/osquery/commit/9f09b7c632a784ad5493e0fc05ff74a0f89c6efd|9f09b7c>

Improving

listDirectoriesInDirectory

by using ``std::fs`` (#7974) - Marcos Oviedo

Mike S.

05/23/2023, 8:24 PM

Hi all! What would be the best way to convert multiple unixepoch times in a single query? For example, in the wifi_networks table, there is an added_at and captive_login_date that both present in the unixepoch format. Thanks in advance for the help!

Naveen

05/24/2023, 7:04 AM

Can anyone help on docs / suggestions on how to setup FIM for windows. I Was able to follow things related to https://www.kolide.com/blog/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide thanks to @fritz but unsuccessful in implementing them and events are not consistent as expected! I am using osquery 5.5.1 and used following flags,

--disable_events=false
--enable_ntfs_event_publisher=true

with the query

SELECT * FROM ntfs_journal_events;

Is there a way to implement FIM for windows to capture FIM process information. like the process that made the file modification!

Nemesis Contreras

05/24/2023, 5:40 PM

Hi Team, My company currently uses FleetDM I had a question about how often does a regular (non API-only ) user’s API key expires? Weekly, monthly, etc

Krishan

05/25/2023, 1:55 PM

Hi. I'm testing osquery on a Mac, and I wanted trigger an event on new ssh connections or logins. I've been looking at process_open_sockets and trying to filter by port 22, but I don't see it. Any idea on which table I should be looking at?

github

05/25/2023, 2:09 PM

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/7b5c9ebd1a2dfd2c311669994729c97db3636938|7b5c9eb>

cve: Update libxml2 to v2.11.2 (#8023) - Stefano Bonicatti

github

05/25/2023, 7:14 PM

[osquery] New branch "stefano/ci/update-aarch64-actions" was pushed by Smjert

github

05/25/2023, 7:19 PM

[osquery:stefano/ci/update-aarch64-actions] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/b3ad87d1c49af9b1aaa4c5865be29d7bcec0db79|b3ad87d>

Use new aws-credentials action - Stefano Bonicatti

github

05/25/2023, 7:58 PM

[osquery:stefano/ci/update-aarch64-actions] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/a8c9e91ed832d18a7c2f2413e76427d88ecd93eb|a8c9e91>

Use new actions an update ec2-github-runner action - Stefano Bonicatti

github

05/25/2023, 10:53 PM

[osquery:stefano/ci/update-aarch64-actions] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/8869235c0b9dec7ab0a6fb79973c26ddab97ab53|8869235>

Fix the aarch64 workflow (#8035) - Stefano Bonicatti

Chloe Zheng

05/26/2023, 2:53 AM

X-post for a broader audience, but please lmk if it's inappropriate to post here. :thanks:

Charlie Meng

05/28/2023, 3:23 PM

Hi, I’ve looked into the wishlist issue #7931 and figured out a way to serve that additional info. It should be a tiny patch of ~5 lines to osquery/tables/system/linux/system_info.cpp. Do I need to get assigned before PR?

Nakshi Kalolia

05/29/2023, 6:41 AM

I have added a policy in my fleetdm. When I run that query it shows that 23 hosts in "NO" category. But in the policy section it shows only 3 in "NO" category. Can anyone will help me with this?

Nakshi Kalolia

05/29/2023, 6:42 AM

image.png

Esteban

05/29/2023, 5:24 PM

I think there are problems with https://tuf.fleetctl.com/timestamp.json again

Esteban

05/29/2023, 5:25 PM

I cant create any packages with orbit

chrismsnz

05/29/2023, 9:45 PM

has anybody come up with a workaround for the

screenlock

table being busted in the newish mac osx releases?

Jack

05/30/2023, 12:02 PM

Hi, can someone verify this schema detail for chassis_info https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/specs/windows/chassis_info.table#L6 Is there a case where we get multiple values for chassis_types?

Vikas

05/30/2023, 8:01 PM

Hello Fleet team, We have our all host in one AMI, all host has privet IP from 10.202.4.*, which belongs to one of our organizations AWS account. No we I tried to query on all that host in Splunk, I got all the host, but in Fleet dm, I am not getting all the host, missing some of them ? Is there any knows issue or can someone help me out why I am not getting all host from that particular AWS account ?

wennan.he

05/31/2023, 8:10 PM

Hi osquery team, does osquery can detect the issue of dad(Duplicate address detection)?

github

05/31/2023, 8:50 PM

[osquery:master] 1 new commit by James Pickett:

<https://github.com/osquery/osquery/commit/24087aa295a4bc6eb675c25b3b7b82d9f288da39|24087aa>

Add

windows_search

table (#7990) - James Pickett

github

06/01/2023, 10:17 PM

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/d82e8c38dce28ea02805bb28114b7eb8dd050079|d82e8c3>

test: Fix a leak in ExtendedAttributesTableTests SetUp function (#8045) - Stefano Bonicatti

github

06/01/2023, 10:17 PM

[osquery:master] 1 new commit by yux-m:

<https://github.com/osquery/osquery/commit/5be2a2fb9419cf2e6f57bc6c3cd946e33206195c|5be2a2f>

Add number of sockets to

system_info

(#8038) - yux-m

github

06/01/2023, 10:19 PM

[osquery:master] 1 new commit by Stefano Bonicatti:

<https://github.com/osquery/osquery/commit/55fffa85e35de143d99ff2d8573c3ab35ae63a3b|55fffa8>

Fix the aarch64 workflow (#8036) - Stefano Bonicatti

github

06/01/2023, 10:22 PM

[osquery:master] 1 new commit by Alessandro Gario:

<https://github.com/osquery/osquery/commit/28329eb10756d89bf2755da08e39de5aef544334|28329eb>

cmake: Add an option to disable shallow git clone operations (#8026) - Alessandro Gario

github

06/01/2023, 10:23 PM

[osquery:master] 1 new commit by bgirardeau-figma:

<https://github.com/osquery/osquery/commit/09b05ad06256ff823b20df2a7d6657e71e741caf|09b05ad>

Mark time field as additional for event tables (#8020) - bgirardeau-figma