nyanshak
08/10/2020, 10:40 PMGuillaume
08/11/2020, 2:59 PMSeán O'Halloran
08/12/2020, 8:45 PMBenjamin Herrenschmidt
08/13/2020, 1:49 AMamir
08/13/2020, 6:39 AMEvent publisher not enablet: ntfs_event_publisher: NTFS event publisher disabled via conf.
how to reslove this problem. Thanks. Sorry for my bad engilsh 🙂Benjamin Herrenschmidt
08/13/2020, 9:58 PMAlbert Attias
08/13/2020, 10:52 PMErfan
08/14/2020, 10:27 AMYerms
08/17/2020, 8:26 PMgrant seltzer
08/19/2020, 7:01 PMgrant seltzer
08/19/2020, 7:01 PMZach Zeid
08/20/2020, 4:16 PMRP1
08/21/2020, 6:15 PMrh0gue
08/24/2020, 10:35 PMprocess_file_events
queries and was wondering if anyone else has had the same issue or knows how to fix this — i’m using a small, custom ruleset defined in /etc/audit/audit.d/rules.d:
-D
-b 5000000
--backlog_wait_time 0
-a always,exit -S openat
in osquery.flags i’m also setting --audit_allow_config=false
to ensure that when osquery runs, it doesn’t overwrite these auditd changes
--audit_allow_config=false
--audit_allow_sockets=true
--audit_persist=true
--audit_fim_show_accesses=true
--audit_allow_fim_events=true
--disable_audit=false
--events_expiry=1
--events_max=5000000
--logger_min_status=1
--logger_plugin=filesystem
--watchdog_memory_limit=350
--watchdog_utilization_limit=130
--audit_allow_user_events=true
--verbose=true
in osquery.conf, i’m running a PFE query every 10 seconds on the Downloads directory:
"process_file_events": {
"query": "SELECT * from process_file_events;",
"interval": 10,
"description": "auditd implementation of FIM",
"removed": false
},
[...]
"file_paths": {
"watch_repos": [
"/home/rh0gue/Downloads/%"
]
},
"file_accesses": ["watch_repos"]
it seems this combination of using custom auditd rules and osquery works well to detect when a process executes the openat
syscall on an pre-existing file in my Downloads directory that was already on disk when the osquery daemon was started, but not when a new file is downloaded to the same directory and a process executes openat
on this new file. has anyone come across this issue or have any recommended solutions so that we can use osquery to monitor syscalls on newly created files as well?ET
08/25/2020, 7:31 AMEXISTS(SELECT size from file where path = '/tmp/et.txt')
I get this error : "Error: near "EXISTS": syntax error"
Maybe do you have a different solution instead of "EXISTS" ?fritz
08/25/2020, 1:12 PMEXISTS
, you presumably want to have some form of a SELECT
statement. Furthermore, your EXISTS
pattern does not make sense as written.
If I wrote:
SELECT 'test' AS foo WHERE EXISTS(SELECT size from file WHERE path = '/tmp/et.txt');
The logic executed would be the following.
Select a given string ('test' AS foo
), if a path matching: '/tmp/et.txt'
exists in the file
table.
Because size
is not constrained in the WHERE
clause it has no bearing on the output of the query. Likewise it will never be _SELECT_ed because you are using an EXISTS
condition which operates like a boolean. If you wanted to sub-select size
for your '/tmp/et.txt' file you would need to modify your query.
Using EXISTS here is duplicative and the same goal could be accomplished without it by doing the following:
SELECT 'test' AS foo WHERE (SELECT 1 FROM file WHERE path = '/tmp/et.txt');
---
I assume you are trying to do something else here but it is hard to guess based on the snippet alone. If you tell me the exact use-case you are trying to solve for, I would be more than happy to help you craft the SQL.Jattind
08/25/2020, 10:33 PMBenjamin Herrenschmidt
08/26/2020, 3:54 AMMoodyMudit
08/26/2020, 12:33 PMNabil Schear
08/26/2020, 3:58 PMselect c.serial_number from curl_certificate as c where hostname="localhost" and port in (Select port from listening_ports where path="");
but i instead need to combine “localhost” and port into one field for hostname. Is there a way of doing this in SQL without the curl_certificate table having support for a separate port field? thxzwass
Benjamin Herrenschmidt
08/28/2020, 4:07 AMsanjaykcse
08/28/2020, 1:06 PMTfox580
08/29/2020, 6:18 AMdemonbhao
08/31/2020, 6:31 AMMike Myers
09/02/2020, 10:48 PMsundsta
09/02/2020, 10:52 PMfritz
09/02/2020, 11:54 PMX
table" article, something that could help inspire other motivated community members to approach an un-osquerified-API and try to wrangle some C++.demonbhao
09/03/2020, 6:36 AMBenjamin Herrenschmidt
09/03/2020, 11:08 PM