Hi - Need help! Can anyone guide me on how I can retrieve anti virus info on the mac (darwin os). For windows, I was able to fetch the info from the windows_security_products. Not seeing the same for mac. Thanks in advance!

Does anyone know a osquery table that can show packages running on a remote endpoint? Trying to find a way to confirm Log4jl on remote systems that I don't have access except with osquery

@Grigory Emelianov Like so many other concepts (eg. Firewall, Disk Encryption), there is no one-size-fits-all way to track the concept of 'screenlock' across all of Linux. There are many different packages and utilities a distribution or variant of Linux might use to configure and manage when a device will require authorization after a period of inactivity. For example on Linux devices using Gnome, this setting may be configured via

gsettings

, but there is nothing to guarantee that this same device would not use something like

swaylock

instead. In order to reliably ascertain the configuration of screenlock in a reasonably diverse Linux ecosystem, an organization would need to decide on a set of acceptable pathways to configuring a screenlock policy on Linux devices, and then you would check for those specific items.

Windows With regards to Windows, in order to check screenlock configurations you will need to determine whether a password is required when the device is woken from sleep, and then determine what the configured power settings are for the power plans that are currently active. You will also want to check whether the initiation of the screensaver results in a password prompt when resuming activity. macOS This is actually similar in concept to macOS where while there is a screenlock table, the story is actually significantly more complex than that table's boolean output. You need to reconcile its output against power settings, against managed policy settings, etc. For example: Let's say a user had the screenlock configured as demonstrated in the screenshot below. It shows that: • A password will be required when waking the computer after sleep or screensaver has started. • A grace period of 5 minutes (300s) will be permitted wherein a password will not be required after sleep/screensaver If power settings were configured such that the device never went to sleep and never initiated the screensaver, it really does not matter what the grace period, or require password values report back as, because they will never get an opportunity to be used.

Hi foks 👋 We recently tried to enable

eBPF

on our osquery installation and we hit some weird extreme performance impact reaches 100% cpu usage. Has anyone experienced this behavior? What was the workaround?

I am having trouble connecting hosts via plain osquery in fleet dm, any suggestion.

osqueryd is erroring out throwing following error for few of the queries I am trying to run: ErrorLogTag":"read unix @-\u003e/var/osquery/sock/osquery.em: i/o timeout","level":"error" Is there anything that I need to change in config file? What can I do to resolve this error? worker_threads has been set to 4 currently. "worker_threads": "4"

When I run a "osqueryi --json" query that includes multiple SELECTs, it returns a single array merging the output of all the commands with no way to tell them apart. Paste: http://paste.debian.net/plain/1224268 (I would have more commands in reality). I realize this isn't the established approach, but in my specific case my life would be a lot easier if I could run a single osqueryi command (via SSH) every minute, and receive a single valid JSON object in response, that is structured in a parsable way.

Hi ! I have a strange problem in fleet, could you help me with this question? The problem is that the kolide is filling the following path:   /var/lib/mysql/kolide/ As a result, the disk ends up full causing the mysqld service to stop working When checking, I notice that there are files like this one: 15G   /var/lib/mysql/kolide/FTS_00000000000002ac_DELETED.ibd  12G  /var/lib/mysql/kolide/FTS_000000000000002ac_00000000000003ce_INDEX_1.ibd What could be happening? Can I delete these large files without affecting the fleet DB?

Hi! I’m having some weird behaviour on (windows) event based queries and I need some help troubleshooting. I have a Fleet manager with one windows host. The thing is that if I enable a pack with 2 generic (SELECT * …) event based queries (windows_events schema) sometimes, osquery begins to increase memory usage without stop. I’ve tested it in osquery 4.9.0 and pre-release 5.1.0. In osquery 4.9.0, it consumes memory without limit, but in 5.1.0 graphic shows a similar behaviour (stacking memory) with the difference that the watchdog does its work and stop the worker when reach the configured memory limit. I want help to check if this memory increase is caused by any kind of leak or if I’m missing something and can be solved just optimizing osquery configuration/queries (and how). (Graphic shows Private Bytes in KBs/time)

Hi, What's difference

RelWithDebInfo

and

Debug

?

Packages are in github if you're around and want them

Hi, I have a few small json files (not log files) getting created by the container which, as of now, sits in the same folder as log file(which is log rotated). The requirement is to not retain json files older than 2 days. Log rotation doesn't provide rotation base on time. Is there any other way possible to fulfil this?

Hi everyone, is there any way to read query results from osquery socket directly? Right now I'm using Kafka, but checking if there's a way to use a socket in a same way.

Hi, I'm trying to scan my hard disk, using on-demand Yara scanning in python. But when I start the scan from the root, the program consumes a lot of memory and fails in about half a minute when the osqueryd service's memory usage gets to 500Mb-700Mb. The exact error is: "osqueryd worker (1565658) stopping: Memory limits exceeded: 1493492000" And a log is written: On the other hand, when I scan iteratively every directory under the root (var, home etc:...) the osqueryd service memory usage increase slowly and constantly as the program run and ends up on  ~1.3G at the end of the scanning (There is no failure). Do you know how to solve this behavior ?

Hey, The osquery.results.log file and other osquery related log files in /var/log/osquery takes up considerable disk space. Is there a way to reduce that in some way? Maybe limit the amount of time we keep those stored on the server or something?

I’m new to osquery and would like some help. I have two computers that appear to be attempting to send beacons as ICMP queries. They are blocked by the router firewall. The process is attemptin to send the packets to addresses in the same network on a rotating basis. I have the destination ip addresses but finding the originating process escapes me. Can someone show me how to do this. The interval between beacons are sent at approx 1 minute interval. I would have to use the daemon to monitor. Thanks in advance.

I'm not sure what happened with our installs but the chrome_extension table no longer exists. Using version osquery 5.0.1. I ran a reinstall and can't find anythings that would be disabling it. Chrome is installed and chrome_extension_content_scripts is showing content

osquery> select * from chrome_extension;

Error: no such table: chrome_extension

I have several questions about osquery. 1. I found the schema of time will query the time zone=UTC, not the actual system time in Windows environment. Is there any method to query actual time in Windows environment? 2. If I set the logger_plugin=tls and some schedule query in osquery.flags. Where is the result of query being stored in local before the result is upload tls server? And is there any probability that result of query being delete before uploading to tls server? 3. And how does osquery decide when to reset the rocksdb? Any flags can control? 4. And I have open one issue in osquery-go on github. https://github.com/osquery/osquery-go/issues/93 Please help me to clarify these questions. Thanks a lot.

@seph @fritz JFYI, I was wrong about line breaks is sql statements, real issue was

path

field, this field is kinda reserved or something, so ATC table can't contain such field in any form not

path

nor

Path

or

PATH

. If custom ATC table contains

path

osqueryd returns:

E0108 18:52:27.938575 33708 virtual_table.cpp:584] Error creating virtual table: trusted_binaries (1): SQLITE_ERROR

Hello all! I want to consult regarding this issue: https://github.com/osquery/osquery/issues/7298 This is an issue that depends on the environment (whether or not SELinux or other security products are present and blocking) I was thinking of resolving it without changing compatibility by applying a patch in librpm to dynamically check for getauxval in case we compile without that option (which we do for compatibility) Is that an acceptable solution to keep the product working without the need to apply special exceptions for it? Added code will look roughly like this: rpmrc.c964 #ifdef HAVE_GETAUXVAL rpmat.platform = (char *) getauxval(AT_PLATFORM); if (!rpmat.platform) rpmat.platform = ""; rpmat.hwcap = getauxval(AT_HWCAP); #else // Try dynamically if (!g_getauxval_initialized) { g_getauxval_func = (getauxval_t)dlsym(NULL, "getauxval"); } if (g_getauxval_func) { rpmat.platform = (char *) getauxval_func(AT_PLATFORM); if (!rpmat.platform) rpmat.platform = ""; rpmat.hwcap = getauxval_func(AT_HWCAP); } else { // Continue original rpmlib code }

Hi everyone, I want to ask one question. I have to develop the osquery extension with osquey-go. How could I let the "where condition" of SQL to be the input argument of extension.exe with golang SDK Could anyone provide the sample to me to reference? Thanks a lot.

@Tor Houghton I did not answer the second part of the question. The -1 value is there when the event is missing that information. To construct those rows we have to do some state tracking because not all data is available at each event. An event here is a syscall call among connect, bind, listen and accept; this is what BPF is tracing. Would be useful to see the

syscall

column too. So sometimes it's because we haven't seen the needed syscalls to have all the data, otherwise it could also be an issue that has been improved in osquery 5.1.0 if you're not already using that. Finally it could just be a bug, but one would need to see the code in action.

i am new in osquery. I want to install a osquery manager. Which one I should install(with full install guide). Could any one help me.

how to change email and password in fleet

Hi everyone, I am trying to create an extension using cpp which communicates with the osquery via thrift api(for live querying). Any suggestions where should I start from, and is there any simple way to install the osquery library for it on windows, like vcpkg?

any osquery based open source cybersecurity projects?

Good Afternoon everyone, I have a question. Downloading osquery on Windows 10 with Chocolatey it downloads version 5.2.0 but on the osquery website the last version is just 5.1.0. Is it ok or I downloaded something wrong? Thanks a lot.

How to encrypt or hide MySQL password in fleet config.