this one https://github.com/osquery/osquery/pull/4019

How do we uninstall osquery on a centos? Is it documented somewhere? I used 'yum remove osquery'. Only the package is removed. But the config and log files still persists.

Hello, I have standard osquey with Kolide fleet as TLS endpoint, have hosts with filling up over time with many thousands of .sst files under /var/osquery/osquery.db sst_dump shows much of the data is this in each of the small .sst files. Looking for info on what this data is, and is there a flag to trim this down, (maybe buffered_log_max)? 'tls_s_1590683819_50' seq:15613, type:0 => 'tls_s_1590683819_51' seq:15614, type:0 => 'tls_s_1590683819_52' seq:15615, type:0 =>

@alessandrogario My read on that discussion is there is potentially, or even likely, a Remote Code Execution vulnerability with how that http_events PR parses untrusted network data as the root user. Is that a correct read on that PR discussion?

If anyone is looking to do some social good, looking for a chance to jump in to osquery development/code changes, I'm happy to help you get started https://github.com/osquery/osquery/issues/6475 (remove instances of 'blacklist' in the product and documentation). I tried to quickly break down the concrete instances so that multiple people can jump in. The issue does not have a step-by-step guide to how to make the change (sorry about that).

@Anatol Pomazau have you configured with

-DOSQUERY_BUILD_TESTS=ON

?

I saw in a github issue this might be caused by the network_interfaces inserts.. is that something i can disable in fleet?

@Zach Zeid a few resources out there: https://osquery.slack.com/archives/C0FHNQ2N6/p1588614325123400?thread_ts=1588614280.123300&cid=C0FHNQ2N6 https://defensivedepth.com/osquery-handouts/

Is using file carving to collect logs from endpoints too much of a hack vs using a log aggregation tool like filebeat?

Just like using "iptables" table to find the open ports and firewall rules for linux, is there a way to find out firewall rules and open ports for windows using osquery?

Hi everyone! I need to monitor some system params as CPU consumption, RAM, net I/O from each process running on a system for an interval of time and I would like to know if osquery is a suitable tool for this purpose. Thanks in advanced

if osquery runs a scheduled query and the tls endpoint is not reachable at that time, the results are sent as soon as the connection to the tls endpoint is estabilished?

hey 👋 on Windows, I get a JOIN query working well in

osqueryi

interactive mode, but the same query won’t work in Osquery config

schedule

, neither did see any error in the

osquery\log

folder, any insights are greatly appreciated?

Is

iptables

table output reliable to find the open ports in linux ?

This was a fun incident

Given docker container id and the process path, is there a way to find the package information of a process running inside the container without actually opening a shell on the container?

i'm currently a master student looking for an interesting thesis topic to write about. my initial approach was to write about endpoint visibility because in times of DoH and DoT, solutions that honor the enduser's privacy, it becomes a lot more difficult for blue teams to detect suspicious behaviour over the wire. therefore i would like to focus on the endpoint, and what is possible to detect there. i have heard a lot good things about osquery, it helps a lot in regards to IT-Operations. But what would be the main Security use-cases for osquery to help blue teams detect threats in their environment/network? can you maybe point me in the right direction other than https://osquery.io/schema to help me get an idea on what is possible? many thanks in advance, cheers theresa

Hi! A startup is looking at implementing security monitoring (baseline/settings, endpoint protection) for their windows+macos machines. Is anyone doing this solely using OSS products? e.g. I see that Kolide Fleet + Wazuh is an option, but curious how others are using osquery for this purpose.

will we have a release soon?

Does

shell_history

support differentials? E.g. if I'm running osqueryd, and it runs the following query every 15m:

SELECT sh.time, uid, username, sh.history_file, sh.command FROM users JOIN shell_history sh USING (uid)

, will i get differentials, or will i get the entire history contents each time, unless i add a

WHERE

condition thats something like

WHERE sh.time > NOW() - <QUERY-INTERVAL>

Does anyone know where a good repository of advanced queries for OSQ can be found. I am not so much interested in how to get information from a single table but more interested in folks who are using it to get some more complex queries to work. For example below is a query that will generate the process tree for all running processes on the system, so you can see parent child relationship: WITH RECURSIVE proc_tree(pid, level, startTime, cmdLine, procName) AS ( SELECT p.pid, 0, p.start_time, p.cmdLine, p.name FROM processes p /* Get all processes without running parents (root / orphan processes) */ WHERE p.parent = 0 OR p.parent NOT IN (SELECT DISTINCT pid FROM processes p2 WHERE p2.start_time <= p.start_time AND pid = p.parent) UNION ALL /* Add each process with a parent in proc_tree to the table at the level it is down from a root */ SELECT p.pid, proc_tree.level + 1, p.start_time, p.cmdLine, p.name FROM processes p JOIN proc_tree ON p.parent = proc_tree.pid AND proc_tree.startTime <= p.start_time WHERE p.parent != 0 ORDER BY 2 DESC ) SELECT CAST(datetime(pt.startTime,'unixepoch') AS TEXT) processStartTime, /* Add an indentation for every level the process is from it's root */ substr((CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658) || CHAR(9658)), 1, level) || ' ' || pt.procName processBranch, pt.pid, pt.cmdLine FROM proc_tree pt

Could this be related to AWS SDK being built with '-DNO_HTTP_CLIENT=1' ?

Is there any support of

osquery tables for windows

command "`netsh firewall show state`" ?

Hello! I am interested in possibly adding some additional targets for a preexisting feature. I'm not sure which channel is appropriate for that discussion as this would be my first contribution.

Can we run

osqueryi

when

osqueryd

is already running ?

I am facing an issue with process_events table, when a pid is reused the join with different tables can provide wrong results, did you ever think to implement an additional random (larger than uint16) pid? most of the EDRs implement this to avoid pid reuse

What does

return code 78

mean in osquery ?

is there a problem with having the kinesis logger append a new line character to the buffer when adding new records like the firehose logger plugin does?

@Brandon Schmoll Are you asking if there is a global API/repository of latest stable release versions for all applications across all platforms?