osquery #general

Mystery Incorporated

08/05/2021, 1:12 AM

Hey all I need some help with a query: Currently if I run

SELECT * FROM windows_security_products

and I have a third party anti-virus installed, it reports as the picture below. What is happening is that it reports as the third-party anti-virus & firewall is on, and microsoft defender is off. Given that I have mixed endpoints that are using defender and some with a third-party AV, how can I make a query that reports if ALL av/firewall are off not if only 1 is off. Kibana seems really limited and I don't think I can do any kind of aggregation so I think I'll have to do it with osquery.

zwass

08/05/2021, 1:38 AM

Anyone know a query that can reliably (across osquery versions) identify if osquery is running on Linux? I thought this would do, but the results are inconsistent:

SELECT 1 FROM osquery_info WHERE build_platform = 'linux'

Mystery Incorporated

08/07/2021, 5:52 AM

@Stefano Bonicatti 😄

m s

08/09/2021, 12:13 PM

why orbit is not updating osquery to 4.9.0

Zachary Dawe

08/09/2021, 3:45 PM

Hello, does anyone know the easiest way to build a FleetDM server which will never have access to the internet? Transporting a VM is not an available option, unfortunately.

Yash Boura

08/10/2021, 8:45 AM

My understanding is that, osquery agent will periodically poll FleetDM to get any scheduled-queries/live-queries that need to executed, so do we have an option to change the polling interval of osquery through fleet? Or the mechanism is different?

Nabil Schear

08/10/2021, 6:00 PM

hi, I’m looking for someone to review this PR: https://github.com/osquery/osquery/pull/7132 @Stefano Bonicatti @theopolis? I think it is ready to go.

abraham linkolan

08/12/2021, 6:46 AM

hello guys dose someone know ay repository where i can find new tables created by the community?

Slackbot

08/13/2021, 4:46 AM

This message was deleted.

Madhur Jodhwani

08/13/2021, 8:38 AM

How to change

osueryd

name in CMD and also in proccess log like I want to launch it as

madhurs_daemon --flagfile=flagfile.txt

instead of

osqueryd --flagfile=flagfile.txt

and it should be seen as

madhurs_daemon

in the process log as well as in the console application, any idea or any stuff I need to check out?

HarlanF

08/14/2021, 12:42 AM

Can anyone point me to where the ERROR WARNING and INFO symlinks are created in the source code? Trying to figure out what logic's used.

Stefano Bonicatti

08/15/2021, 8:37 AM

That seems an issue with the fact that osquery, to avoid doing network calls, only queries for local users. There’s a similar issue/consequence to that: https://github.com/osquery/osquery/issues/7194

Madhur Jodhwani

08/16/2021, 10:12 AM

I was wondering to change the name of osqueryd but not as explained previously but through code internally, like change it from everywhere, how to di it?

Ahmed

08/17/2021, 8:54 AM

Hi All, I’m facing an issue, hopefully you can help me with. when running a query with case sensitive on OSquery version 4.9.0 it returns this error, but it worked on the version 4.5.1 previously.

Copy code

osquery> PRAGMA case_sensitive_like=1; <Query>

E0817 04:50:29.635751  8504 sqlite_util.cpp:295] Authorizer denied action 19 case_sensitive_like 1 null null
Error: not authorized

alessandrogario

08/17/2021, 1:18 PM

is there any way to install glibc on it?

Seth Hanford

08/19/2021, 5:06 PM

Is there current guidance about the constraints on results that we should expect from recursive searches against the ‘file’ table? I am experiencing strange results when trying to recursively look for files on MacOS (noticed on Mac 11.5.2, osquery 4.9.0): When I run find on the system, I get this (partial results):

Copy code

# find / -name java -type f 2>/dev/null -exec ls -lisah {} \;
... /usr/bin/java
... /usr/local/Cellar/libmagic/5.40/share/misc/magic/java
... /usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java
... /usr/share/file/magic/java
... /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java
... /System/Volumes/Data/usr/local/Cellar/libmagic/5.40/share/misc/magic/java
... /System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java
... /System/Volumes/Data/Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java

When I run a recursion from the root, I get only 1:

Copy code

SELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/%%'
filename: java
path: /usr/bin/java

Other times, I get a few directories lower:

Copy code

SELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/usr/share/%%'
filename: java
path: /usr/share/file/magic/java

Other times, it doesn’t work:

Copy code

SELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/usr/local/Cellar/%%'
0 results (should be at least 2)

Artem

08/20/2021, 1:14 PM

I see https://archlinux.org/packages/community/x86_64/osquery/ but there is 4.6.0

defensivedepth

08/24/2021, 12:20 PM

The Suricata

Stream

set of signatures generate alot of noise. They should be interpreted more as

info

level logs, more focused on adding context to a situation. Tbh, I typically disable them on PROD deployments. The most likely reason is because the Fleet server is offline.

Madhur Jodhwani

08/25/2021, 1:14 PM

How do you make osquery installer package for mac/ linux from source code, I mean the installer for installation and not the build process one.

benbass

08/25/2021, 2:50 PM

Where do I get the latest osquery GPG keys for RHEL RPMs?

Slackbot

08/25/2021, 5:44 PM

This message was deleted.

Evan Wolfe

08/25/2021, 9:22 PM

Is there a best practice for running osqueryd in the background all the time on linux and windows? In the case of wanting to always be able to live query from Fleet? Or am I thinking about this incorrectly?

Zander Mackie

08/26/2021, 8:06 PM

Is the release cadence for osquery documented somewhere? Seems like its sort of averaging every three months (purely eyeballing the github releases)

puffycid

08/28/2021, 3:07 AM

i have quick question does anyone have a query to get a full file listing of a system using osquery? i tried the one mentioned at https://blog.kolide.com/the-file-table-in-osquery-is-amazing-99db0f52a066 but it does not seem to be returning all the files (i may be doing something wrong) i also tried searching slack but did not get any hits thanks

Zander Mackie

08/30/2021, 9:06 PM

(I should clarify that I thought that

/%%

would recurse down from the root directory, but the top query is only return 3 results for some reason, which is not what I thought it would do)

Venkaiah

08/31/2021, 12:39 PM

Copy code

Hi Team i am facing error " go run: no packages loaded from ./cmd/package"   when i run command   
go run ./cmd/package --type=pkg --fleet-url=localhost:8412 --insecure --enroll-secret=YOUR_FLEET_ENROLL_SECRET_HERE

Stijn Pieters

08/31/2021, 2:26 PM

Hey, I'm trying to get a list of vulnerabilities for the software installed on my hosts. For Windows hosts I get a proper software list on the "Host" page, but for Linux hosts I'm getting a user list instead. I also haven't seen any vulnerabilities in the software list, but maybe I'm just not that vulnerable :^) I set the required environment variable and configured a path to write the vulnerability DB to. Did I miss something?

Zander Mackie

09/01/2021, 3:52 PM

I’m trying to find examples of the usage of

number_monitoring

but I haven’t come across any. It looks like maybe this was planned, but never done? Anybody have any pointers here? I’d love to contribute that back to docs.

eici

09/02/2021, 10:44 AM

Hi, any idea whats wrong on MacOS (Catalina, Intel) when trying to build the "orbit" pkg?

go version go1.17 darwin/amd64

Copy code

➜  orbit git:(main) go run ./cmd/package --type=pkg --fleet-url=localhost:1337 --insecure --enroll-secret=SomeThingSecret --debug
2021-09-02T12:32:42+02:00 DBG created temp dir path=/var/folders/sj/yjq11f9d18q16_gt1xjz61gr0000gp/T/orbit-package3229585214
2021-09-02T12:32:42+02:00 FTL package failed error="create root dir: Path /var/folders/sj/yjq11f9d18q16_gt1xjz61gr0000gp/T/orbit-package3229585214 already exists with mode 20000000700 instead of the expected 20000000755"
exit status 1

alessandrogario

09/02/2021, 4:53 PM

New contributor! Thanks so much for your PR @Patrick MARIE! 🙂

osquery 6

ty 3

👌 4