Stefano Bonicatti
04/15/2020, 1:32 PMStefano Bonicatti
04/15/2020, 1:19 PMrun()
function that gets called periodically and so drives the event collection and publishing logic. Each time that function gets called, it will increase that value you see.Ahmed
04/15/2020, 1:31 PM[root@host1 ~]# sudo systemctl status osqueryd -l
● osqueryd.service - The osquery Daemon
Loaded: loaded (/etc/systemd/system/osqueryd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-04-15 09:22:16 EDT; 4min 15s ago
Process: 32355 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
Process: 32353 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
Main PID: 32358 (osqueryd)
Tasks: 18
Memory: 5.9M
CGroup: /system.slice/osqueryd.service
├─32358 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf --pidfile /var/run/osqueryd.pidfile
└─32361 /usr/bin/osqueryd
Apr 15 09:22:16 host1 systemd[1]: Starting The osquery Daemon...
Apr 15 09:22:16 host1 systemd[1]: Started The osquery Daemon.
Apr 15 09:22:16 host1 osqueryd[32358]: osqueryd started [version=4.2.0]
Apr 15 09:22:17 host1 osqueryd[32358]: I0415 09:22:17.412950 32361 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
Apr 15 09:22:17 host1 osqueryd[32358]: I0415 09:22:17.413987 32361 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
defensivedepth
04/15/2020, 3:24 PMfritz
04/15/2020, 3:56 PMEXPLAIN QUERY PLAN
and
.timer ON
Jean M
04/15/2020, 6:29 PMHugh (Zercurity)
04/16/2020, 9:22 AM--tls_server_certs=/usr/local/zercurity/zercurity.pem
Melissa Corp
04/17/2020, 5:56 PMM09UL
04/17/2020, 8:21 PMRafael
04/17/2020, 11:42 PMOlivia MacDougal
04/20/2020, 6:47 PMchrome_extensions
issue! https://github.com/osquery/osquery/issues/5563. Thank you in advance 😄terracatta
ihor
04/20/2020, 7:40 PMStefano Bonicatti
04/21/2020, 2:32 PMZach Zeid
04/21/2020, 5:23 PMZach Zeid
04/21/2020, 5:43 PMselect * from shell_history;
I would've presumed it'd be able to get the history for all users. I haven't seen anything from todayJames Espinosa
04/21/2020, 10:33 PM+--------------+-------------------------+
| header | rule_details |
+--------------+-------------------------+
| %group1 | ALL=(ALL) NOPASSWD: ALL |
| %group2 | ALL=(ALL) NOPASSWD: ALL |
| user1 | ALL=(ALL) NOPASSWD: ALL |
| user2 | ALL=(ALL) NOPASSWD: ALL |
osquery> SELECT * FROM sudoers WHERE header LIKE '\%%';
(produces 0 results)
DU
04/22/2020, 8:16 AMTim
04/22/2020, 6:52 PMZach Zeid
04/23/2020, 2:06 PM"action": "removed"
does this mean that it was removed from the table in osquery?KryptoNyte
04/23/2020, 7:38 PMosqueryd
by using --extensions-socket=$HOME/osqueryd/osquery.em
, where the actual path is constructed in a crossplatform way (using go
's filepath.Join
function)Zach Zeid
04/23/2020, 8:14 PMjoe b
04/23/2020, 8:18 PMErich Stoekl
04/24/2020, 8:01 PMExecReload
in the unit file, but is it possible to send SIGHUP
and reload the config?alessandrogario
WS
04/29/2020, 4:34 PMIvanlei
04/29/2020, 5:58 PMlast_executed
from the osquery_schedule
tableMithya
04/29/2020, 7:00 PMauditctl -l
shows me rules added by osquery but in the container, this doesn't work.)
The same set of flags don't work when I test it out inside a container.
These are the flags I am launching osqueryd with
--audit_allow_config=true
--audit_allow_sockets
--audit_persist=true
--disable_audit=false
The error that I am getting is
osquery_1 | I0429 19:00:06.721541 16 auditdnetlink.cpp:623] Failed to set the netlink owner
Erich Stoekl
04/29/2020, 9:05 PMLawrence D'Anna
04/29/2020, 9:43 PMos_log()
logging?