this is totally my new red team shell management framework

Actually to compile

EC2Client.cpp

clang process does take 5GB of memory. That was the exact reason of crash, thank you @Stefano Bonicatti!

Hi, how do i add Windows10 to a Koldie fleet (I have not installed osquery on the Win10 machine yet)

will the below work ??? I want to store the osqueryd.results.log/ osquery.snapshots.log on /var/log/osquery & on tls endpoint like kolide

What is CVE?

Hello, does anyone know how the

INFO

WARNING

and

ERROR

logs are generated? I'm getting a ton of small

<http://osqueryd.INFO|osqueryd.INFO>.*

files generated by osqueryd

hehe, it is not yet in the repos, and I had just asked in #core if now is a good time. Has anyone had a chance to deploy and test? Any comments on stability?

Has anyone else seen

chrome_extensions

returning multiple identical results in version 4.2? The same query in version 4.0.2 doesn't have the duplicate results

Thanks for all the work so far! I am also curious if we are making more copies of strings (just a general concern) and if that has any perf impact for effected tables — perhaps there are one or two that are string copy heavy that are now heavier?

Though I have commented psutil, it doesn't build

Hello could this be updated to when 4.2.1 is due ? https://github.com/osquery/osquery/milestones

Is there any way to debug the scheduler? I am attempting to configure osquery with local JSON but the queries don’t appear to be running. I see the packs in

osquery_packs

but nothing in

osquery_schedule

, but there are no errors or warnings in the daemon’s status logs

hello, has anyone had to deal with the watchdog constantly killing your osquery worker?

Also, you really want to use the latest 4.x, which is 4.2.0, there’s an important TLS security fix there.

Hi all! I have a question on sharding (restricting the query to a percentage of the target hosts). Does sharding pick the same hosts every time? For example, if we shard to %15 of hosts, can we expect the same hosts to be chosen every time the query runs?

Stupid question: Is it possible to build Osquery for Windows on a Mac or Linux machine? If so, how? Just change the target? Background: I want to test a feature in the current master on Windows and can’t find a build/nightly in the official pipeline. (ignore signing infrastructure)

Hi @Diego Erazo , there is the

patches

table (eg.

SELECT * FROM patches;

or if that doesn't have what you are looking for I wrote a query to scan the registry for KBs:

WITH patch_packages AS (
SELECT path, key, type,
    MAX(CASE WHEN name = 'InstallName' AND data LIKE 'Package_%_for_KB%' THEN SUBSTR(SPLIT(data, '_', 3), 1, 9) 
             WHEN name = 'InstallName' AND data LIKE 'Package_for_KB%' THEN SUBSTR(SPLIT(data, '_', 2), 1, 9) END) AS kb_id,
    MAX(CASE WHEN name = 'CurrentState' THEN data END) AS current_state,
    MAX(CASE WHEN name = 'InstallClient' THEN data END) AS install_client,
    MAX(CASE WHEN name = 'Visibility' THEN data END) AS visibility,
    MAX(CASE WHEN name = 'SelfUpdate' THEN data END) AS self_update,
    MAX(CASE WHEN name = 'InstallLocation' THEN data END) AS install_location,
    MAX(CASE WHEN name = 'InstallUser' THEN data END) AS install_user,
    MAX(CASE WHEN name = 'InstallName' THEN data END) AS install_name
FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\%4534273%\%%'
GROUP BY key
)
SELECT 
    MAX(kb_id),
    MAX(install_client),
    SUM(CASE WHEN current_state = '0' THEN 1 END) AS current_state_absent,
    SUM(CASE WHEN current_state = '5' THEN 1 END) AS current_state_uninstall_pending,
    SUM(CASE WHEN current_state = '16' THEN 1 END) AS current_state_resolving,
    SUM(CASE WHEN current_state = '32' THEN 1 END) AS current_state_resolved,
    SUM(CASE WHEN current_state = '48' THEN 1 END) AS current_state_staging,
    SUM(CASE WHEN current_state = '64' THEN 1 END) AS current_state_staged,
    SUM(CASE WHEN current_state = '80' THEN 1 END) AS current_state_superseded,
    SUM(CASE WHEN current_state = '96' THEN 1 END) AS current_state_install_pending,
    SUM(CASE WHEN current_state = '101' THEN 1 END) AS current_state_partially_installed,
    SUM(CASE WHEN current_state = '112' THEN 1 END) AS current_state_installed,
    SUM(CASE WHEN current_state = '128' THEN 1 END) AS current_state_permanent
FROM patch_packages
GROUP BY kb_id

@fritz and @alessandrogario thank you

Does anyone here have a recent nightly build of the osquery master for Windows and can provide it to me? I would like to test a bugfix…

Hello team, I need to write an extension for osquery, and I will be using kolide/osquery-go to register tables and config plugins, Is there a way to get access to the flags that was passed to the osqueryd daemon via osquery.flags ?

Why is this timeout hardcoded to 16? In the file osquery\remote\transports\tls.cpp

options.follow_redirects(true).always_verify_peer(verify_peer_).timeout(16);

I am just curious about an error I getting trying to enroll my first machine, is there place to ask such a question? \

Hello everyone, which channel would be the ideal to get some support with the

osquery

configuration? I'm struggling to get some of the

osquery.flags

the configuration set into my

osquery.db

.. Performing a simple

select * from osquery_flags;

doesn't return any of the flags set in my

osquery.flags

. Realy appreciate your help.

Hi Folks. I'm wondering if

--disable_events=false

needs to be used with

--disable_audit=false

What do you mean “state is different”? Are you running into https://github.com/osquery/osquery/issues/6290

Hi All below is my Flag file, for some reason I do not receive any event to my tls server. For some reason I am getting

Event publisher not enabled: syslog: Publisher disabled via configuration"

Any idea someone ? Flag File:

--watchdog_level=0
--watchdog_memory_limit=300
--host_identifier=uuid
--tls_hostname=kolide-server:443
--tls_server_certs=/etc/osquery/ca.crt
--config_plugin=tls
--distributed_plugin=tls
--logger_plugin=tls
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_tls_endpoint=/api/v1/osquery/config
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_tls_endpoint=/api/v1/logger
--config_refresh=300
--config_tls_max_attempts=20
--enroll_always=true
--disable_distributed=false
--distributed_interval=0
--enroll_secret_path=/etc/osquery/enroll
--database_path=/var/osquery/osquery.db
--pidfile=/var/run/osqueryd.pid
--logger_path=/var/log/osquery
--audit_allow_config=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--audit_force_reconfigure=true
--audit_persist=false
--disable_audit=false
--enable_dns_lookups=true
--logger_tls_event_types="user_events|process_events|process_file_events|socket_events|dns_lookup_events|file_events|http_events"
--events_max=1000
--disable_events_staging=false
--windows_event_channels=Security,System,Application,Setup
--win_enable_dns_lookups=true
--win_allow_sockets=true
--win_allow_process_events=true
--win_allow_logon_events=true
--win_allow_fim_events=true
--win_allow_drive_events=true
--win_allow_reg_events=true
--enable_windows_kernel_events=true
--allow_inotify_file_events=false
--audit_records_rate=10000
--logger_tls_compress=true
--enable_wmi=true
--enable_http_lookups=true
--process_ancestor_list=true
--audit_force_unconfigure=true
--audit_source_dispatcher=true
--watchdog_utilization_limit=21
--generate_process_hash_in_process_event=true

Hey guys, Is there any specific order in which the config files are loaded.. I see that config is loaded by

genConf

functions in the

std::map<std::string, std::string> &conf

object..but how does if effect when two different config files have overlapping config items.. eg: If I need a file watch, and one config file has list of files to be included and another config file has the list of file to be excluded.. which will be given a preference.. ?

Hello all. I'm trying to stand up osquery on-prem. How many servers would I need for about 30,000 endpoints? I understand that I can use Scale Sets in Azure but am trying to set up a test environment with a budget of $0. Any advice would be appreciated.

@nyanshak, it's a system library error which seems to suggest that we are querying OpenDirectory with a wrong attribute for a specific node? Would need to debug that to know more..

moves this instance to top of "Slack stack" 😛