osquery #general

Rafa

07/20/2022, 2:28 PM

thanks @Hugh (Zercurity)!

Yassine CHAOUCHE

07/20/2022, 4:45 PM

Do you guys inspect the results log file from the command line?

Yassine CHAOUCHE

07/20/2022, 4:45 PM

Is there a good viewer for that?

Brandon Mesa

07/20/2022, 7:18 PM

Hey all, what's the most appropriate way to package osquery with my own query pack? with the end goal of deploying it as a launchd service to a number of macOS endpoints across an org.

Hugh (Zercurity)

07/20/2022, 7:20 PM

@Brandon Mesa do you have any management on those hosts like chef or puppet?

Brandon Mesa

07/20/2022, 7:20 PM

Likely so, how about an MDM with .pkg deployment support?

Brandon Mesa

07/20/2022, 7:21 PM

Also, love the Zercurity blogs.

Hugh (Zercurity)

07/20/2022, 7:22 PM

It's a fair amount of effort to re-bundle and sign pkgs with every update. With chef or puppet you can just write the packs and configuration directly

Hugh (Zercurity)

07/20/2022, 7:22 PM

Thank you!

Hugh (Zercurity)

07/20/2022, 7:23 PM

More on the way soon. :)

Brandon Mesa

07/20/2022, 7:25 PM

Yea, I'm seeing that now. How about two packages? the official osquery .pkg & another .pkg that contains the query pack & launchd plist file to start up the daemon.

Steve Poe

07/21/2022, 12:23 AM

Anyone know if there is a published list of cloud services security analytics/protection offerings that has osquery integrated? Our company's been using a product, I'll called CB, and it hasn't met our needs. I Ideally, IMHO, I want my cloud security service to also support osquery packs. But, I am just one cog/opinion of what we should consider.

Kiran Kalelkar

07/21/2022, 5:59 AM

👋 Hi everyone! How can i integrate clients in security onion using fleetDM. i am trying to install fleet-osquery_0.0.13_amd64.deb in ubuntu but it is not install i am install the dependency requirement (orbit package) also but still same issue. Please help me.

Brandon Mesa

07/21/2022, 3:35 PM

howdy, anyone tackled monitoring ssh-based activity with osquery on macos? in particular i'm looking to identify sftp/scp/smb activity. es_process_creation has some process based stuff which highlights good src/dst info, curious if anyone else has taken a different approach?

J Armando G

07/22/2022, 5:49 PM

Hi, this may be complicated, but I’m looking for a mapping between what Osquery offers and the 20 CIS Controls 🤔 I might need to do the documentation myself, but is there something out there I can reference to?

Peter Panko

07/26/2022, 11:44 AM

Hi, can anyone provide an example query that tracks failed ssh attempts on linux? I couldn't find a table that stores this info. I'm about to try creating a lense for /var/log/auth.log and getting the info that way but wonder if there is an easier approach.

Ibra

07/27/2022, 9:55 AM

Hi, I've tried looking at the online guides but I can't figure out the steps to install osquery and generate the msi package, where to pass all the files in the screenshot, I saw that within the manage-osquery.ps1 file you can change the name of the service. currently on the company pc's osquery is installed under the path "C:\Program Files\osqueryd" where you see the attached files, I should install another agent that sends the data to another fleet server(that's why I want to change the system service name from osqueryd to something else, so that the 2 agents don't bother each other, what do you recommend to do? Thanks

Brandon Mesa

07/27/2022, 5:30 PM

if I want to run the daemon, should i run osqueryi --D or osqueryd directly?

Brandon Mesa

07/27/2022, 5:35 PM

also

--disable_endpointsecurity_fim

appears to be a new flag? 👀

Brandon Mesa

07/27/2022, 5:40 PM

I presume this flag relays file object management activity via EndpointSecurity instead of FSEvents... right?

Stefano Bonicatti

07/27/2022, 6:43 PM

Yes; a launchd entry should be already added when you install osquery via .pkg as far as I recall

Brandon Mesa

07/27/2022, 8:44 PM

Hey all, I'm having some issues with getting EndpointSecurity to work with launchd/plist. this is my plist file

Copy code

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
  <key>KeepAlive</key>
  <true/>
  <key>Disabled</key>
  <false/>
  <key>Label</key>
  <string>io.osquery.agent</string>
  <key>ProgramArguments</key>
  <array>
    <string>/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd</string>
    <string>--config_path=/private/var/osquery/osquery.conf</string>
    <string>--disable_events=false</string>
    <string>--disable_endpointsecurity=false</string>
    <string>--enable_file_events=true</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>ThrottleInterval</key>
  <integer>60</integer>
</dict>
</plist>

I run

sudo launchctl load /var/osquery/io.osquery.agent.plist

followed by

sudo launchctl start io.osquery.agent.plist

. The process starts & i get other results from fim & snapshot queries, however the EndpointSecurity events do not get generated. Additionally, If I run the daemon directly with the following, the endpointsecurity events get logged

sudo /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --config_path=/private/var/osquery/osquery.conf --disable_events=false --disable_endpointsecurity=false --enable_file_events=true

Anyone seen this before or see any red flags with my launchd approach?

harroldhino

07/28/2022, 6:02 PM

The dates have been set and the Call for Papers (CFP) for the third annual osquery@scale have opened. The CFP will close on August 17. Learn more about the CFP here: https://www.papercall.io/osqueryatscale2022-cfp More details to come.

James Wilburn

07/29/2022, 3:29 AM

Software Inventory is disabled.....do this, If you explicitly disabled vulnerability processing, and now would like to enable this feature, first enable the software inventory feature by setting the following app config:

Copy code

---
apiVersion: v1
kind: config
spec:
  host_settings:
    enable_software_inventory: true

and

James Wilburn

07/29/2022, 3:30 AM

Copy code

---
apiVersion: v1
kind: config
spec:
  vulnerability_settings:
    databases_path: /some/path

James Wilburn

07/29/2022, 3:34 AM

Assuming we are talking about /opt/so/saltstack/default/salt/fleet/files/packs/osquery-config.conf being what is meant by "setting the following app config" , which is done, followed by so-fleet-restart, it's still not enabled. I'm using 4.14.0 Fleet thats on the current Version: 2.3.140 of Security Onion. The current guidance out there isn't working. Thanks.

Poornesh

07/29/2022, 5:07 AM

👋 Hi everyone! Its glad to use this platform for the challenges which I am facing with respect to osquery. I am working on i.MX6UL SoC (arm 32) for our embedded project . I have built the OS through Yocto build . Since we are having a requirement of osquery , I am tring to build it from the Github source . But there instructions has been given for x86 machine using osquery's sdk . So I am requesting to help me out with the procedure to build Osquery form Github source for my target board (i.MX6UL SoC). Also please share us the arm compatible toolchain if exists .

jimmy

07/30/2022, 3:10 PM

https://osquery.slack.com/archives/C08V7KTJB/p1659092698370579?thread_ts=1659009731.212239&cid=C08V7KTJB ?

Chad Bennett

07/31/2022, 12:21 AM

Hello all, we are somewhat new to OSQuery and wanted to see what software the group is using to push changes to individual machines. Specifically, software and/or settings changes for Windows and Mac devices.

fritz

07/31/2022, 12:34 AM

@Chad Bennett Are you asking about management solutions for Windows/Mac, specifically MDMs? I believe the most common choices are Microsoft Intune for Windows devices and then one of the various third-party MDM vendors for macOS; the most popular being Jamf, but plenty use SimpleMDM, Mosyle, or if going the open-source route MicroMDM.