kolide
  • u

    user

    05/13/2022, 3:43 PM
    Business Password Management for Storing and Sharing Credentials See how to implement business password management best practices for storing and sharing passwords securely to strengthen your organization's security.
  • u

    user

    05/31/2022, 4:03 PM
    Our Startup's SOC 2 Compliance Journey These days, SOC 2 certification is seen as table stakes for SaaS startups. But it's only worth doing if the ROI will make up for the time and money you spend.
  • defensivedepth

    defensivedepth

    06/02/2022, 7:55 PM
    I have a number of Launcher clients that are stuck running osquery 4.5.1, because the (updated) downloaded osqueryd is failing with a
    segementation fault
    {
      "binary": "/usr/local/launcher/bin/osqueryd-updates/1652735666/osqueryd",
      "binaryName": "osqueryd",
      "caller": "findnew.go:207",
      "fullBinaryPath": "/usr/local/launcher/bin/osqueryd",
      "level": "error",
      "msg": "not executable. Skipping",
      "reason": "signal: segmentation fault",
      "ts": "2022-06-02T14:04:21.625141787Z",
      "updateDir": "/usr/local/launcher/bin/osqueryd-updates"
    }
    I have removed the files in
    /usr/local/launcher/bin/osqueryd-updates/
    and restarted launcher. I see that the autoupdate process is kicked off:
    {
      "binaryName": "osqueryd",
      "caller": "autoupdate.go:165",
      "level": "debug",
      "msg": "Created Updater",
      "stagingPath": "/var/launcher/securityonion/osqueryd-staging",
      "ts": "2022-06-02T19:44:59.357491281Z",
      "updater": "osqueryd",
      "updatesDirectory": "/usr/local/launcher/bin/osqueryd-updates"
    }
    But nothing appears to change. Any thoughts on how to troubleshoot this further?
  • defensivedepth

    defensivedepth

    06/02/2022, 7:56 PM
    autoupdate channel is set to stable & set to check hourly
  • u

    user

    06/10/2022, 7:13 PM
    Why There's No Such Thing As MDM for Linux, and What to Do About It MDMs are fundamentally incompatible with the technology and culture of Linux, but you still have options for endpoint security.
  • u

    user

    06/17/2022, 7:43 PM
    How Much Does a SOC 2 Audit Cost? A SOC 2 compliance consultant breaks down all the factors that influence audit costs, and what businesses can do to decrease them.
  • u

    user

    06/24/2022, 8:13 PM
    Introducing the Check Catalog Two questions we get a lot are:
  • u

    user

    06/28/2022, 2:33 PM
    New Device Inventory: NPM Packages Kolide now enabled you to collect and query the installed NPM Packages across Mac, Windows, and Linux devices.
  • u

    user

    07/06/2022, 7:03 PM
    New Device Inventory: TPM Chips Kolide now enables you to collect and query information about the TPM chip embedded in your PCs.
  • u

    user

    07/07/2022, 2:43 PM
    Summer Tapas: Inventory, Privacy Center, and API Improvements Kolide now allows end users to reset their device ownership to company-owned and dramatically improved the documentation in Inventory.
  • u

    user

    07/15/2022, 5:43 PM
    The Evolution of macOS Gatekeeper Gatekeeper is at the center of the Mac's anti-malware efforts, and Apple's mission to balance UI and security.
  • u

    user

    07/22/2022, 2:43 PM
    The Business Guide to ISO 27001 Compliance and Certification ISO 27001 compliance isn't a "check the box" exercise. While documentation is important, auditors will test to see if your ISMS actually works as promised.
  • maxwhite

    maxwhite

    07/22/2022, 5:31 PM
    Hello! 👋 We are trying to get some windows event logs from a Windows machine, how would-we go to enable that? We tried
    windows_events
    and
    windows_eventlog
    but it does not seem to work "out of the box"
  • terracatta

    terracatta

    07/22/2022, 6:08 PM
    Hey @maxwhite and @Mathieu Marcotte! Happy to help. Seems like we are talking about two tables…
    windows_eventlog
    and
    windows_events
    . Let’s start with
    windows_eventlog
    . So we have disabled querying
    windows_eventlog
    in Kolide because there seems to be a bug in osquery that on many devices causes it to freeze and not recover until the system is rebooted. See issue https://github.com/kolide/launcher/issues/670. It’s possible this is no longer an issue and we can unblock this table, we will look into it! For the other table
    windows_events
    . Querying tables ending in
    _events
    in Live Query can lead to unexpected results. Sometimes by querying events this way you actually clear them out from the local agent. You can read more about the evented architecture in osquery here. https://osquery.readthedocs.io/en/stable/development/pubsub-framework/ Generally for evented tables, you want to use the Log Pipeline so that when the events table is queried, the results are captured and sent to a log destination. We wrote a post about this topic but for Windows file events. https://www.kolide.com/blog/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide. The steps should be similar!
  • maxwhite

    maxwhite

    07/22/2022, 6:13 PM
    In fact our main "project" was to query for the minimum required password length for a local (non-AD) account; The only way we found was to enable an audit that would be sent to the Events Viewer; Would-you have another way? Thank you!
  • Esteban

    Esteban

    08/02/2022, 4:48 PM
    Hello, I'm having an issue with Kolide launcher:
    {"caller":"launcher.go:133","err":"launching osquery instance: starting instance: could not calculate osquery file paths: extension path does not exist: C:\\Program Files\\Kolide\\Launcher-launcher\\bin\\osquery-extension.exe: CreateFile C:\\Program Files\\Kolide\\Launcher-launcher\\bin\\osquery-extension.exe: El sistema no puede encontrar el archivo especificado.","level":"info","msg":"interrupted","ts":"2022-08-02T16:42:40.1333351Z"}
    Here's my build command
    .\build\package-builder.exe make --hostname <http://osquery.dpsit.gba.gob.ar:443|osquery.dpsit.gba.gob.ar:443> --enroll_secret ******** --targets windows-service-msi --insecure --output_dir .
  • o

    oneiroi

    09/02/2022, 2:38 PM
    Hi guys 👋 , QQ Given this: https://www.kolide.com/blog/new-inventory-windows-defender-and-xprotect-reports && given this issue is presently unsolved https://github.com/osquery/osquery/issues/6588 , I presume Kolide have opted to use file_events to intercept when the report file is generated (within
    ~Library/Logs/DiagnosticReports
    ), then an augeas lense to parse the json values to catch these reports ? I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅
  • r

    Ryan

    09/21/2022, 1:39 PM
    Totally agree, some of the markups we see here are indefensible.
  • t

    Thomas Stromberg

    10/17/2022, 3:02 PM
    Hey folks! What's the best way to run a query from the command-line against Kolide's osqueryd? For instance, I'd like to be able to interactively use osqueryi with the Kolide configuration (eventing tables, table restrictions, augeas configs, etc.) for testing & taking timing measurements.
  • t

    Thomas Stromberg

    10/20/2022, 4:06 PM
    Any tips for debugging why events tables are not being populated on certain Linux machines? For example, The
    socket_events
    and
    process_events
    tables are populated on half of our Linux machines running Kolide, but not the other. It sort of follows Linux distribution boundaries: • Ubuntu: Yes! • Fedora: No • Arch: Mixed • NixOS: Mixed. One machine has data in
    process_events
    , the other doesn't. Both seem to only record
    systemd-timesyncd
    bind calls in
    socket_events
    One of the ones where none of the tables are populated is my personal machine, so I'm happy to investigate. Is it possible that the auditd rules installed by osquery could conflict with previously written configurations? I did check the output of
    sudo journalctl -t launcher
    but it didn't seem to give any indications.
  • terracatta

    terracatta

    10/27/2022, 3:28 PM
    FYI great video demo of this feature can be found on loom. https://www.loom.com/share/4056bd51b4d147d7869b9268b42490be
  • t

    Thomas Stromberg

    11/04/2022, 12:41 PM
    Before I open up a bug w/ osquery upstream, is there anything in Kolide's privacy-aware confiuration that might prevent
    process_events.env_size
    from being populated? I have a query to find short-lived setuid overflow attempts but the field is always NULL. I suspect it's a bug relating to env whitelisting, but wanted to save the osquery maintainers some hassle if it was a known Kolide-specific issue.