osquery #general

wennan.he

10/12/2022, 9:17 PM

Hi osquery team, if /etc/osquery/osquery.conf is not offered, will osuqery read conf from config_tls_endpoint?

wennan.he

10/13/2022, 12:47 AM

Hi osquery team, once i use tls as fetching cfg, is there any way to watch the cfg from agent side like a sql?

Thomas Stromberg

10/13/2022, 12:59 AM

I just released a tool for creating & manipulating osquery packs: https://github.com/chainguard-dev/osqtool The question I should have asked before-hand is: how are other people maintaining their osquery pack files, particularly those with many complex queries? I have to assume that I reinvented the wheel not knowing one existed already.

wennan.he

10/13/2022, 5:40 PM

Hi osquery team, i enabled some flags through flag file

--disable_events=false

, --enable_file_events=true, --disable_audit=false and --enable_ntfs_event_publisher=true, then i restart osquery but when i login osqueryi and check osquery_flags, i can see the value of them not changed. plz advice.

Gaston Beltramelli

10/13/2022, 10:09 PM

👋 ¡Hi! very new user of osquery here!

wennan.he

10/13/2022, 10:10 PM

Hi Osquery team, is schedule part required for FIM config? "schedule": { "crontab": { "query": "SELECT * FROM crontab;", "interval": 300 }, "file_events": { "query": "SELECT * FROM file_events;", "removed": false, "interval": 300 } },

Gaston Beltramelli

10/13/2022, 10:12 PM

I don't know if I'm in the right place to ask a question

Gaston Beltramelli

10/13/2022, 10:12 PM

We are replacing our monitoring tool of many years by elastic and I have the need to check the updates of the monitored systems, so I thought of using osquery to perform this task, my question is, is that possible with osquery?

Gaston Beltramelli

10/13/2022, 10:13 PM

Copy code

any advice is highly appreciated

wennan.he

10/14/2022, 1:39 AM

Hi osquery team, i setup a FIM through fleet UI like overrides: platforms: all: file_paths: etc: - /etc/osquery/% exclude_paths: tmp: - /tmp/too_many_events/ homes: - /home/not_to_monitor/.ssh/%% and i can see that cfg has been pushed to agent side but it doesn't work as expected when i creating new file under the cfg folder, there is no event generated in file_events table. And i found some err in the system log of osquery Oct 14 013259 n121-038-121 osqueryd[563006]: {"data":[{"hostIdentifier":"XXX","calendarTime":"Fri Oct 14 013247 2022 UTC","unixTime":"1665711167","severity":"0","filename":"auditdnetlink.cpp","line":"745","message":"*Malformed audit record received*","version":"5.4.0-dirty","decorations":{"host_uuid":"XXX","hostname":"XXX"}},{"hostIdentifier":"XXX","calendarTime":"Fri Oct 14 013247 2022 UTC","unixTime":"1665711167"I1014 013259.163120 563128 config.cpp:1238] Refreshing configuration state Does it mean the audit did not begins as expected? And how to fix it?

Karthick

10/14/2022, 3:20 PM

Hello, am trying to enable Process_file_events table. Updated below config in osquery.flag in host and query returns 0 values --disable_events=false --disable_audit=false --enable_file_events=true --audit_allow_config=true --audit_allow_fim_events=true --audit_allow_process_events=true --audit_persist=true --enable_bpf_events=true Updated the same config in fleetdm Global config still same result.

wennan.he

10/14/2022, 9:44 PM

could some one help on https://osquery.slack.com/archives/C08V7KTJB/p1665711543042949

Slackbot

10/14/2022, 10:08 PM

This message was deleted.

Subash Rajaa

10/17/2022, 1:21 PM

Hi Folks, there is an issue we are seeing in osqueryi on windows. At times when communicating with an extension process it hangs, though the query has completed fine and returned results, and goes through ungraceful termination (78). When this happens the output of the query is truncated since the console buffer is not flushed in ungraceful exit. What we would need is for oqueryi.exe to fflush(stdout) even on an ungraceful exit

Subash Rajaa

10/17/2022, 1:21 PM

this fixes the issue. Could we get this fix in mainline.

Subash Rajaa

10/17/2022, 1:22 PM

void run() { size_t waited = 0; while (true) { if (interrupted()) { return; } std:this thread:sleep_for(std:chrono:milliseconds(200)); waited += 200; if (waited > FLAGS_alarm_timeout * 1000) { fflush(stdout); //==> FIX Initializer::shutdownNow(EXIT_CATASTROPHIC); } } }

Mario Bardowell

10/17/2022, 5:41 PM

hi everyone, i'm struggling with flag files. How do I script a solution to this problem? - The CLI only flag --config_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup

Mario Bardowell

10/17/2022, 5:43 PM

here is my script that doesn't start the service... and if I add osqueryctl start I get these messages

Mario Bardowell

10/17/2022, 5:43 PM

Copy code

#!/bin/bash

#Download OSQuery and Install with Custom Configuration

echo "Making directory to run installer."
cd /var/tmp
mkdir OSQuery
cd OSQuery

OSqueryInstaller="<https://pkg.osquery.io/darwin/osquery-5.5.1.pkg>"

curl -L -O ${OSqueryInstaller}
echo "Downloading package."
sleep 6

echo "Installing package."
packageName="osquery-5.5.1.pkg"
/usr/sbin/installer -pkg /var/tmp/OSQuery/${packageName} -target /

touch /var/osquery/osquery.conf

echo '{
"options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "utc": "true"
},

"schedule": {
    "system_info": {
        "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
        "interval": 3600
    },
    "high_load_average": {
        "query": "SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period = '15m' AND average > '0.7';",
        "interval": 900,
        "description": "Report if load charge is over 70 percent."
    },
    "low_free_memory": {
        "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;",
        "interval": 1800,
        "description": "Free RAM is under 10%."
    },
    "detect all unencrypted SSH keys on disk": {
      // The exact query to run.
      "query": "SELECT path FROM user_ssh_keys WHERE encrypted = 0;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
    },
    "Fireall Status": {
      // The exact query to run.
      "query": "SELECT * from alf;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
    },

    
    "osinfo": {
      // The exact query to run.
      "query": "SELECT * from os_version;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 86400
    },
     "logged_in_users": {
      // The exact query to run.
      "query": "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
     },

     "OS Disk Encryption": {

      // The exact query to run.
      "query": "select * from disk_encryption where name = '/dev/disk3s1s1';",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600

     },
     "Etc_host": {

      // The exact query to run.
      "query": "select * from etc_hosts;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
     
     },

     "Startup Items": {

      // The exact query to run.
      "query": "select * from startup_items;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 86400
     
     }

    
},

"packs": {
     "osquery-monitoring": "/private/var/osquery/packs/osquery-monitoring.conf",
     "incident-response": "/private/var/osquery/packs/incident-response.conf",
     "it-compliance": "/private/var/osquery/packs/it-compliance.conf",
     "osx-attacks": "/private/var/osquery/packs/osx-attacks.conf",
     "vuln-management": "/private/var/osquery/packs/vuln-management.conf",
     "hardware-monitoring": "/private/var/osquery/packs/hardware-monitoring.conf",
     "ossec-rootkit": "/private/var/osquery/packs/ossec-rootkit.conf"
    // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
    // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
}
}' > /var/osquery/osquery.conf


echo "Launch Daemons"
sleep 6

cp /var/osquery/io.osquery.agent.plist /Library/LaunchDaemons
sleep 6


echo "Starting agent."
sleep 6

launchctl load /Library/LaunchDaemons/io.osquery.agent.plist


echo "Cleaning folders and exiting."
cd /var/tmp
rm -r OSQuery

exit 0

slevchenko

10/19/2022, 11:58 AM

Hi everyone. Can someone advise me what can be wrong with this queue is not detecting nc(netcat) connections to external IP addresses? My goal is to get IP and SHA256 of a

/proc/${PID/exe}

belongs to corresponding process

Copy code

SELECT DISTINCT processes.path, (SELECT sha256 FROM hash WHERE path = concat('/proc/', socket.pid, '/exe')) AS sha256, socket.remote_address, socket.remote_port FROM bpf_socket_events socket LEFT JOIN bpf_process_events processes ON socket.pid = processes.pid WHERE socket.remote_port NOT IN (0, 443, 993, 4172, 4195) AND socket.remote_address NOT LIKE '127.0.%.%';

slevchenko

10/19/2022, 12:28 PM

The weird thing about this query that it works sometimes, like in 20% of cases. One of 5 times it actually retrieves expected result, so if I'm establishing test connection, using netcat, sometimes I see this connection in a resulting table retrieved in response to this query

slevchenko

10/19/2022, 12:39 PM

Copy code

+------+------------------------------------------------------------------+----------------------+-------------+
| path | sha256                                                           | remote_address       | remote_port |
+------+------------------------------------------------------------------+----------------------+-------------+
|      | 9e1797de8e2e0c3e8b477727f764f08954eae5dfc97def295b2d100[REDACTED]| <http://XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX>      | 8983        |
+------+------------------------------------------------------------------+----------------------+-------------+

defensivedepth

10/19/2022, 1:42 PM

hey @fritz thanks again for this great writeup - used it last night, saved me alot of time: https://www.kolide.com/blog/how-to-deal-with-dates-and-times-in-osquery

Ahmed

10/20/2022, 9:07 AM

Hi Everyone, just in case you are interested in doing IR with osquery. Check this out and let me know if you had any idea or feedback about it. https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery

Thomas Stromberg

10/20/2022, 1:49 PM

I'm proud to announce that we've open-sourced our detection & response rules for osquery: https://github.com/chainguard-dev/osquery-defense-kit - It contains 130+ production-ready queries we found useful for detecting malware & other anomalous behavior on our endpoints, designed with alerting in mind. PR's welcome 🙂

Raghavendra Hiremath

10/20/2022, 1:57 PM

Hello Everyone,

Raghavendra Hiremath

10/20/2022, 1:59 PM

I would need assistance, I have deployed osquery agent and able to schedule custom queries, and log results are working as expected.

Raghavendra Hiremath

10/20/2022, 1:59 PM

If I deploy osquery agent on multiple servers, how do I use API?

Raghavendra Hiremath

10/20/2022, 2:00 PM

Any remote API I could use to find the result or do I need to use logstash/syslog-ng to process the logs from individual servers and send it out?

Nuno Guerreiro

10/21/2022, 7:53 AM

Hi guys, wondering if we can activate any kind of authentication on osquery services to avoid unauthorized users to execute queries (remote or locally in the server where we have osquery installed). Thanks,