Hi osquery team, how to disable a particular table in osquery?

Hi osquery team, i am now trying to build osquery as deb package and i see there is postinst file under tools/deployment/linux_packaging/, i want to know what does it do? do i need to as a step in my building?

Hi osquery team, i c the osqueryd contains the restriction of cpu, i would like to know how to setup quota of memory?

Is there a way to create a filter for machines that do not have a specific file present?

osquery team, what are these files doing after installation? and i need to move them out of /opt folder, how to make them working with new install path?

/opt/osquery/share/osquery/lenses/{*}.aug
/opt/osquery/share/osquery/packs/{*}.conf
/opt/osquery/share/osquery/osquery.example.conf

and for /opt/osquery/bin/osqueryd, it looks like i just need to change /usr/lib/systemd/system/osqueryd.service and link it to new directory, right? what about /opt/osquery/bin/osqueryctl? if i move it to like usr/local/bin, is there any file i need to change?

Does anyone knows how osquery behaves on logger plugin crash ? Will it retry sending log string if crash happened before data was sent ?

hi all .. embarrassed to start with maybe the most noob question ever, but how do you trust that the osquery instance running on some machine is the real thing, and not an impostor sending back bogus or tampered telemetry?

xposting to #general chat from #core hey team, I was wondering if I can get some help tweaking or investigating this further: on certain hosts with osquery, I frequently see

Copy code

Linesize exceeds TLS logger maximum:

warnings at 5MB, 10MB, and 13MB values I believe this indicates that a query result from osquery is larger than the

logger_tls_max_linesize

value and is being dropped/not sent to the TLS endpoint. At the moment, that value is set to the default 1MB currently, I configured osqueryd to run with the following

--config_tls_max_attempts=6
--database_path=/state/osquery.db
--decorations_top_level=true
--disable_events=true
--disable_extensions=false
--disable_watchdog=false
--docker_socket=/run/docker.sock
--enroll_secret_path=/etc/osquery/enroll_secret.txt
--enroll_tls_endpoint=<endpoint>
--host_identifier=hostname
--logger_plugin=tls
--logger_tls_endpoint=<endpoint>
--logger_tls_max_linesize=1048576
--logger_tls_period=60
--read_max=209715200
--table_delay=200
--tls_hostname=<endpoint>
--tls_session_reuse=true
--tls_session_timeout=3600
--utc=true
--watchdog_memory_limit=900

I was curious if anyone would know if there are settings I can tweak to avoid dropping these results, or if there was a way I can investigate which query pack was causing such a large result?

anyone could could help? https://osquery.slack.com/archives/C08V7KTJB/p1668809882785799

Hi osquery team,

cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DCPACK_GENERATOR=DEB \
-DOSQUERY_PACKAGE_VERSION=$(OSQUERY_VERSION) \
-DOSQUERY_DATA_PATH=$(shell pwd)/build/package_data \
-DCMAKE_INSTALL_PREFIX=/usr/local \
../osquery-packaging

i want to know if i don't use osquery-packaging, is there anyway to set these vars?

Hello, I'm trying to figure out how to get a username string from a _*process_events*_ without querying the users table at every execution. We're hitting performance issues with a user table holding a large number of entires.. sadly _*logged_in_users*_ does not appear to contain any id data. Anyone have any performance tips here ?

Hello all!, has anyone repackaged osquery with their own query pack to curate for deployment? curious if it's as simple as creating a new package with the contents and signing it, or if there are additional caveats

@Brandon Mesa pretty much. The only major issue is apple signing and notarization and if you want to sign windows packages correctly there's a whole process you need to go through. However, re-packaging and deploying on a corporate network is pretty straight forward.

https://zercurity.medium.com/building-packages-on-aws-lambda-c820ffea24a this is a post I wrote on how we package on Osuqery

👋

Hi osquery team, any update for https://osquery.slack.com/archives/C08V7KTJB/p1668809882785799, and i would like to know if we want to setup mem restriction with min/max threshold, what is the expected val?

Hi osquery team, does the explanation shown below mean osqueryd is only allocated with 200 mb if don't set --watchdog_memory_limit?

Hello, i'm setup a fleet-server with docker compose. I be stucked at error

fleet-sv    | {"component":"redis","level":"info","mode":"standalone","ts":"2022-11-24T06:25:47.483252226Z"}
fleet-sv    | Failed to start: initializing osquery logging: create filesystem status logger: perm check: open /logs/osqueryd.status.log: permission denied

can i do next, please?

my docker-compose

volumes:
      - ./osquery:/fleet/
      - ./logs:/logs/
      - ./vulndb:/vulndb/

I get error when build in MacOS, can anybody know how to fix this? [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/feature_vectors.cpp.o /Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity.cpp10235: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity.cpp.o] Error 1 make[2]: * Waiting for unfinished jobs.... [ 52%] Building CXX object osquery/tables/utility/CMakeFiles/osquery_tables_utility_utilitytable.dir/file.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInstanceExportTaskResponse.cpp.o [ 52%] Building CXX object plugins/config/parsers/CMakeFiles/plugins_config_parsers.dir/file_paths.cpp.o [ 52%] Building CXX object osquery/carver/CMakeFiles/osquery_carver.dir/carver.cpp.o [ 52%] Building CXX object libs/src/aws-sdk-cpp/CMakeFiles/thirdparty_aws-cpp-sdk-ec2.dir/src/aws-sdk-cpp/aws-cpp-sdk-ec2/source/model/CreateInternetGatewayRequest.cpp.o /Users/shijunyan/Documents/code/osquery/osquery/events/darwin/endpointsecurity_fim.cpp16035: error: no member named 'global_seq_num' in 'es_message_t' ec->global_seq_num = message->global_seq_num; ~~~~~~~ ^ 1 error generated. make[2]: * [osquery/events/CMakeFiles/osquery_events.dir/darwin/endpointsecurity_fim.cpp.o] Error 1 make[1]: * [osquery/events/CMakeFiles/osquery_events.dir/all] Error 2 make[1]: * Waiting for unfinished jobs....

Hi osquery team, does osquery generate any processes in any case?

Thanks for the awesome software. For install osquery I ended up creating a new systemd unit with the switches mentioned in the documentaion. I was curious if that was required or if running the command first does the normal systemd unit take those options. Also if that a no and I need to keep my custom systemd unit to I need to keep the

enroll_secret_path

switch or does it only require the key to be sent the first time

Nevermind on my question. I learned about orbit. Makes it much easier.

Team, I want to open a PR for the issue https://github.com/osquery/osquery/issues/7802, need push access for user "srajaa"

C:\Source\osquery>git push --set-upstream origin1 fflush-consolebuufer-ungraceful-exit remote: Permission to osquery/osquery.git denied to srajaa. fatal: unable to access 'https://github.com/osquery/osquery.git/': The requested URL returned error: 403

Hello @Subash Rajaa, you should be forking the osquery repository, commit your work in a separate branch (not master) on your own repository, and then you can open a PR in the upstream repository, which points to your branch.

Is anyone aware/looking into auditing what appears to be a new filesystem manifestation of firefox addons that put bundles on the Mac like

/Users/USER/Library/Application Support/Firefox/Profiles/k5wvl3gs.default-release/storage/default/https+++totp.app

?

I'm seeing literally hundreds of these paths, sometimes dozens per user with the same e.g.

<http://csb.app|csb.app>

end to the path with a hash-looking random 6 character prefix on the basename, e.g.:

Hi osquery team, does osquery generate any processes in any case?