alessandrogario
Harrison
11/05/2021, 4:50 PMosqueryi
shell. This is the two I'm looking at? https://fleetdm.com/ and Kolide.Giovanni Giannola
11/06/2021, 1:16 AMDhruv Rathod
11/08/2021, 2:33 PMslevchenko
11/09/2021, 10:56 AM/proc/<PID>/cmdline
to /proc/<PID>/status
for this to work we need to read cmdline and status content, is this even possible with osquery ? To clarify, by comparison I mean just ensuring that both of them contain same name
keywordAndrew Farley
11/09/2021, 11:11 PMBryan
11/10/2021, 6:29 PMNabil Schear
11/10/2021, 10:50 PMkoo
11/15/2021, 7:51 AMMystery Incorporated
11/15/2021, 11:14 PMslevchenko
11/16/2021, 3:51 PMosqueryi --extension X
and it works too, but not when used via osqueryd, plugin getting registered, and that:
plugin X registered
plugin X failed validation
plugin X gone away
Giovanni Giannola
11/18/2021, 2:00 AMDhruv Rathod
11/19/2021, 5:31 AMhost_identifier
in all requests from osquery to the tls server? Like, it only sends node_key, but I also want osquery to send other values everytime, is it possible to set with any flag?RD
11/19/2021, 8:51 AMTed Dorosheff
11/19/2021, 1:32 PMJulia Cox
11/19/2021, 2:06 PMI1119 08:43:21.214730 306961920 virtual_sqlite_table.cpp:91] Cannot open specified database: SQLITE_CANTOPEN
I1119 08:43:21.214769 306961920 auto_constructed_tables.cpp:38] ATC Table: Unable to detect journal mode, applying default locking policy for path /Users/xxx/Library/Safari/History.db
I1119 08:43:21.215098 306961920 virtual_sqlite_table.cpp:91] Cannot open specified database: SQLITE_CANTOPEN
Is this potentially related to the extra security on the Library/Safari
directory, or the locking if Safari is running? Just curious if anyone had encountered similar errors. I don't have my own Mac so debugging is challenging!ravigupta230290
11/20/2021, 11:06 AMJason NG
11/24/2021, 1:37 AMLeonoor S
11/24/2021, 2:21 PMNacho Rivera
11/24/2021, 4:05 PMselect * from registry where key='HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion' and name like '%Run%'
To check the values of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
, but having a subkey as type
, data
is empty, and does not include values stored in that subkey ...ec4
11/24/2021, 5:12 PMjoin
returns results but left join
returns 0 results?
SELECT *
FROM docker_container_processes process
JOIN docker_containers container ON container.id=process.id
vs.
SELECT *
FROM docker_container_processes process
LEFT JOIN docker_containers container ON container.id=process.id
Slackbot
12/01/2021, 10:36 AMMayan
12/01/2021, 4:02 PMfritz
12/01/2021, 4:18 PMusers
and user_groups
tables.
For example if you wanted to find users who belonged to the administrator group on macOS you would run something like:
SELECT
u.uid,
u.username,
ug.gid,
g.groupname
FROM users u
JOIN user_groups ug USING(uid)
JOIN groups g ON ug.gid = g.gid
WHERE g.groupname = 'admin';
+-----+-----------------+-----+-----------+
| uid | username | gid | groupname |
+-----+-----------------+-----+-----------+
| 502 | fritz | 80 | admin |
| 501 | kolide-imac-pro | 80 | admin |
| 0 | root | 80 | admin |
+-----+-----------------+-----+-----------+
Zach Zeid
12/01/2021, 8:58 PMNate Bondurant
12/01/2021, 10:19 PMslevchenko
12/02/2021, 5:08 PMslevchenko
12/06/2021, 1:52 PMsyslog
and syslog_events
tables are empty.
1. I believe both events are syslog are enabled on my side, since I'm able to see syslog messages in /var/osquery/syslog_pipe
pipe.
SELECT name, value FROM osquery_flags WHERE name LIKE '%syslog%';
+---------------------------+--------------------------+
| name | value |
+---------------------------+--------------------------+
| enable_syslog | true |
| logger_syslog_facility | 19 |
| logger_syslog_prepend_cee | false |
| syslog_events_expiry | 2592000 |
| syslog_events_max | 100000 |
| syslog_pipe_path | /var/osquery/syslog_pipe |
| syslog_rate_limit | 100 |
+---------------------------+--------------------------+
2. rsyslogd is running and actually pushing messages to a pipe /var/osquery/syslog_pipe
.
sudo cat /var/osquery/syslog_pipe
[sudo] password for test:
"2021-12-06T15:38:48.459938+02:00","test-pc","5","authpriv","sudo:"," test : TTY=pts/1 ; PWD=/home/test ; USER=root ; COMMAND=/usr/bin/cat /var/osquery/syslog_pipe"
"2021-12-06T15:38:48.461863+02:00","test-pc","6","authpriv","sudo:"," pam_unix(sudo:session): session opened for user root by (uid=0)"
3. Both osquery(1st), rsyslogd(2nd) were restarted in this same order to ensure that osquery will create pipe before rsyslog will attempt to push logsslevchenko
12/07/2021, 11:52 AMI1207 13:47:10.155495 48644 virtual_sqlite_table.cpp:111] ATC table: Could not prepare database at path: "/etc/osquery/quarantine.db"
I1207 13:47:10.155580 48644 auto_constructed_tables.cpp:38] ATC Table: Unable to detect journal mode, applying default locking policy for path /etc/osquery/quarantine.db
I1207 13:47:10.155865 48644 virtual_sqlite_table.cpp:111] ATC table: Could not prepare database at path: "/etc/osquery/quarantine.db"
W1207 13:47:10.155910 48644 auto_constructed_tables.cpp:47] ATC Table: Error Code: 26 Could not generate data: Could not prepare database for path /etc/osquery/quarantine.db
I suspect that that's due to: https://github.com/osquery/osquery/issues/5225 since error message does mention journal mode
detection problem, but I'm not sure how to fix this from my side. Does anyone know how to fix\prevent such issues ?Ronny Nordstrand
12/07/2021, 12:59 PM{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"pidfile": "/var/osquery/osquery.pidfile",
"database_path": "/var/osquery/osquery.db",
"disable_database": "true",
"force": "true",
"verbose": "true",
"schedule_default_interval": "300",
"host_identifier": "hostname"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;"
},
"Packages": {
"query": "select name, version, sha1, install_time, vendor from rpm_packages;"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
}
}