I know people who specifically end up with sumologic parsing logs, but they seem to have also been using kinesis on the 'front of the funnel'. We shipped logs from disk in the past but now have Zentral

Hi, I'm just wondering about case sensitivity in osquery. Recently I've became aware of that string comparison might be case sensitive even if the underlying operating system is case insensitive. I was looking for a registry key with osquery and realized that there are different spellings:

RefusePassworChange

or

refusepassworchange

. I did some research on how to query with case insensitive and after some tests with lower(), I found this solution:

SELECT * FROM registry WHERE path = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePassworChange" COLLATE NOCASE;

Without "COLLATE NOCASE" this statement will not match different spellings like "refusepasswordchange". Any other thoughts on this?

Hi all, All my linux devices seem to be out of release tandem with my Win + macOS devices. Seems my Ubuntu machines have pulled v5.2.3 from the repo and I can see latest release is 5.2.2-1?

is 5.2.2-1 in fact 5.2.3?

If it's relevant I have a mixture of x86_64 Ubuntu 20.04 and some arm64 Ubuntu 20.04 as well.

Hello @Mystery Incorporated, 5.2.2-1 is 5.2.2, release 1. Normally when a distribution changes some dependencies which is used by the program, they have to rebuild it, but they keep it at the same upstream version, so they only increase the release part.

Thanks ok wasn't sure if it was rounding the -1 up to 3. So it seems that I am pulling a version from the future on the Ubuntu repo?

Although in this case we are the packagers, so it should almost never happen because we build everything statically, so we don't depend on the system

which version?

5.2.3

5.2.3 is the current latest stable

yeah I think we are behind with updating the website

pushing to the S3 repo is automatic

Ok got it, didn't think to check github releases thanks

is macOS-bare the one to use for M1?

I'm guessing it means bare as in no Rosetta?

no bare means that there's only the binary. You want osquery-5.2.3.pkg, we have a universal binary

ok thanks

can I confirm there's no osquery table for ufw on ubuntu or augeas lens that parses the .rules?

I guess I should be looking into an extension to provide that functionality and then open a feature request issue with that mocked-up as a 'spec'

#general I am trying to run osquery deamon with a non-root group. We donot want to give root permissions to the consumers of the the osquery hence creating a separate group(lets call it "osquery-users") and running the deamon with a conf file having

[Service]
User=root
Group=osquery-users

The default permission on socket file is coming as 755. But as the consumers are part of the group, we need it to be 765 atleast. When I set the permissions on the socket file, restart of the daemon seems to be resetting on a restart. Can someone explain the reason for it and avoid this?

hey all was able to get logs from osqueryd to AWS Kinesis. Just curious how people are handling this, the access_id and secret_access_key, are there ways to obfuscate these values so they aren't sititng in plain text in the osquery.conf file?

Has anyone here had any luck with creating live queries using the Fleet API? Mainly retrieving results? The documentation for this seems very outdated... https://fleetdm.com/docs/using-fleet/rest-api#run-live-query -> this just doesn’t work. And this seems to be more what I was expecting (websockets)… but the endpoint does not exist and the UI seems to use a slight variation -> https://fleetdm.com/docs/contributing/api-for-contributors#retrieve-live-query-results-standard-websocket-api

Hello! Found interesting query from security perspective https://github.com/Cisco-Talos/osquery_queries/blob/master/linux_forensics/linux_forensics_processes_with_deleted_binary.yaml, but also found some trouble with detecting Docker related process. It looks like this table can detect process details, but can not determine if process started from container so there is no source binary on direct host machine. It gives lots of false positive results. Is it possible to solve this problem some way?

Hello everyone! Did anybody previously see situation when some hosts return same results multiple times during one ad-hoc query via FleetDM? I send query to 5 hundred of hosts and wait for results, but some hosts (<10) returns their results multiple times. It does not depend on exact query, it can be default query of

osquery_info

table which should return only one row for every host. Field values are the same for these hosts. I tried to user

--verbose

option to see additional info from osquery from one of such hosts, but I think I need help with this because I still don’t understand such behavior.

Hi, I'm wondering if its possible to retrieve the hardware model of an endpoint in a user friendly way. When querying system_info the column hardware_model often contains a cryptic number / name, e.g. my Lenovo laptop is of hardware_model 20Y1CTO1WW. The user friendly name for it is "ThinkPad P14s Gen1". Windows provides this information under Syteminformation, but I can not find it in osquery. Any ideas? Thanks.

Quite often I'm getting a discovery query fail because it's using an extension we've built, complains there's no such table. In fact, it's consistently reproducible even using

osqueryi

. Right when I enter osqueryi, I get the complaint, but I can go right to selecting something from the table in question, and it returns a row. Ideas? Thanks in advance.

(thread there with more details)