MoodyMudit
02/21/2022, 1:03 PM{
command: {}'.format(e))
path: /etc/cron.d/sched_prov.py
day_of_month: enforce
day_of_week: endpoints:
hour: to
minute: print('Failed
month: maintenance
}
Mystery Incorporated
03/20/2022, 11:07 AMMystery Incorporated
03/20/2022, 11:08 AMDistributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
Mystery Incorporated
03/20/2022, 11:09 AMMystery Incorporated
03/20/2022, 11:10 AMNAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="<https://www.ubuntu.com/>"
SUPPORT_URL="<https://help.ubuntu.com/>"
BUG_REPORT_URL="<https://bugs.launchpad.net/ubuntu/>"
PRIVACY_POLICY_URL="<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy>"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
seph
Mystery Incorporated
03/20/2022, 1:46 PMStefano Bonicatti
03/20/2022, 2:42 PMVERSION_ID
to parse the SEMVER parts:
select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name | version | major | minor | patch | build | platform | platform_like | codename | arch |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20 | 4 | 0 | | ubuntu | debian | focal | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
Stefano Bonicatti
03/20/2022, 2:53 PMos-release
file format is not one of the best, given that every distro does what it wants, kind ofMystery Incorporated
03/21/2022, 12:24 AMMystery Incorporated
03/21/2022, 12:26 AMvar OS=major+.+minor+.+patch
to describe in pseudocodeMystery Incorporated
03/21/2022, 12:28 AMNick Klauer
06/07/2022, 8:25 PMzwass
docker_containers
table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);
(eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the pid_with_namespace
column @Stefano Bonicatti added to some tables.defensivedepth
08/18/2022, 1:51 AM4.9
44mb ------> 5.0
196mb ?Artemis Tosini
08/18/2022, 7:13 PMSagar Patil
08/25/2022, 4:24 AMMChorfa
11/02/2022, 12:12 PMmchorfa@mchorfa-linux-02:~/tmp$ sudo apt install fleet-osquery_1.3.0_amd64.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package fleet-osquery_1.3.0_amd64.deb
MChorfa
11/02/2022, 12:13 PMmchorfa@mchorfa-linux-02:~/tmp$ sudo dpkg --install fleet-osquery_1.3.0_amd64.deb
(Reading database ... 447044 files and directories currently installed.)
Preparing to unpack fleet-osquery_1.3.0_amd64.deb ...
Failed to stop orbit.service: Unit orbit.service not loaded.
Failed to disable unit: Unit file orbit.service does not exist.
Unpacking fleet-osquery (1.3.0) over (1.3.0) ...
Setting up fleet-osquery (1.3.0) ...
Failed to restart orbit.service: Unit orbit.service not found.
dpkg: error processing package fleet-osquery (--install):
installed fleet-osquery package post-installation script subprocess returned error exit status 5
Errors were encountered while processing:
fleet-osquery
Michael
11/09/2022, 6:44 AMLarry Gryziak
02/24/2023, 9:44 PMoneiroi
03/29/2023, 4:04 PMiptables
virtual table returning nothing ? I've dug into the source code and have a potential theory why this issues exists, but also wanted to reach out here incase anyone has seen this "gotcha". ?victor_bui
04/04/2023, 7:36 AMDaniel Moore
04/13/2023, 2:26 PMdefensivedepth
04/14/2023, 12:40 AMSlackbot
06/08/2023, 11:19 AMKevin Pointer
08/24/2023, 2:53 PMRonald Cardoso
11/07/2023, 3:23 PMChris Jones
11/28/2023, 5:26 PMseph