https://github.com/osquery/osquery logo
Powered by
#linux
  • m

    MoodyMudit

    02/21/2022, 1:03 PM
    Hi, I am fetching some data using osquery’s crontab table. There are some ambiguous entries which are getting listed. Can someone please help me understand why this is happening. Here is the data fetched.
    Copy code
    {  
   command: {}'.format(e))
   path: /etc/cron.d/sched_prov.py
   day_of_month: enforce
   day_of_week: endpoints:
   hour: to
   minute: print('Failed
   month: maintenance
 }
    z
    s
    • 3
    • 3
  • m

    Mystery Incorporated

    03/20/2022, 11:07 AM
    I notice that even tho I am running Ubuntu 20.4.4 it always reports as 20.4.0
  • m

    Mystery Incorporated

    03/20/2022, 11:08 AM
    Copy code
    Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal
  • m

    Mystery Incorporated

    03/20/2022, 11:09 AM
    Unsure actually if that's an OSQuery thing or a fleet thing
  • m

    Mystery Incorporated

    03/20/2022, 11:10 AM
    Copy code
    NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="<https://www.ubuntu.com/>"
SUPPORT_URL="<https://help.ubuntu.com/>"
BUG_REPORT_URL="<https://bugs.launchpad.net/ubuntu/>"
PRIVACY_POLICY_URL="<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy>"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
  • s

    seph

    03/20/2022, 11:43 AM
    What query is fleet using?
  • m

    Mystery Incorporated

    03/20/2022, 1:46 PM
    I'm not sure because it's just whatever fleet does to detect the os out of the box
  • s

    Stefano Bonicatti

    03/20/2022, 2:42 PM
    Likely caused by osquery, which uses the 
    VERSION_ID
    to parse the SEMVER parts:
    Copy code
    select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
  • s

    Stefano Bonicatti

    03/20/2022, 2:53 PM
    I say "caused", but to be fair also the 
    os-release
    file format is not one of the best, given that every distro does what it wants, kind of
  • m

    Mystery Incorporated

    03/21/2022, 12:24 AM
    Hmm even then fleet seems to be trimming the 04 to 4 and putting a superfluous .0 on the end
  • m

    Mystery Incorporated

    03/21/2022, 12:26 AM
    or they are just grabbing and concatenating major + minor + patch actually now I look at that again, so I'm guessing they are doing 
    var OS=major+.+minor+.+patch
    to describe in pseudocode
  • m

    Mystery Incorporated

    03/21/2022, 12:28 AM
    Perhaps some platform specific logic may be needed for Ubuntu to grab version and then substr anything to the left of LTS
  • n

    Nick Klauer

    06/07/2022, 8:25 PM
    I didn’t realize there was a separate channel just for Linux, so I’m cross-posting my question here
  • z

    zwass

    08/17/2022, 10:20 PM
    Is there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with 
    docker_containers
    table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is 
    select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);
    (eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the 
    pid_with_namespace
    column @Stefano Bonicatti added to some tables.
    a
    s
    a
    • 4
    • 22
  • d

    defensivedepth

    08/18/2022, 1:51 AM
    Trying to dig back into the history of when the linux osqueryd binary increased in size.... Anyone recall why it increased so dramatically from 
    4.9
    44mb ------> 
    5.0
    196mb ?
    s
    s
    +2
    • 5
    • 27
  • a

    Artemis Tosini

    08/18/2022, 7:13 PM
    I'm looking at adding some containerd tables. Unfortunately the API is via grpc so we'd require grpc as a dependancy and either pregenerate the C++ with protoc or use protoc at build time, does anyone have opinions?
    z
    a
    +2
    • 5
    • 60
  • s

    Sagar Patil

    08/25/2022, 4:24 AM
    Can anyone please help me with scheduled queries for docker and Linux environment for improving incident detection and response program.
  • m

    MChorfa

    11/02/2022, 12:12 PM
    Hello 🖖 I followed the docs after the deployment of the fleet server. generated the deb package. but was not able to run it .. Am I missing something ? OH tried with dpkg same issue
    Copy code
    mchorfa@mchorfa-linux-02:~/tmp$ sudo apt install fleet-osquery_1.3.0_amd64.deb
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package fleet-osquery_1.3.0_amd64.deb
    s
    • 2
    • 1
  • m

    MChorfa

    11/02/2022, 12:13 PM
    Copy code
    mchorfa@mchorfa-linux-02:~/tmp$ sudo dpkg  --install fleet-osquery_1.3.0_amd64.deb
(Reading database ... 447044 files and directories currently installed.)
Preparing to unpack fleet-osquery_1.3.0_amd64.deb ...
Failed to stop orbit.service: Unit orbit.service not loaded.
Failed to disable unit: Unit file orbit.service does not exist.
Unpacking fleet-osquery (1.3.0) over (1.3.0) ...
Setting up fleet-osquery (1.3.0) ...
Failed to restart orbit.service: Unit orbit.service not found.
dpkg: error processing package fleet-osquery (--install):
 installed fleet-osquery package post-installation script subprocess returned error exit status 5
Errors were encountered while processing:
 fleet-osquery
  • m

    Michael

    11/09/2022, 6:44 AM
    Hello. I'm trying to package osquery for my distribution of choice. I'm running into a lot of trouble getting the build to find system augeas, is there some flag I need to be passing to get the build to find system libraries?
    s
    • 2
    • 11
  • l

    Larry Gryziak

    02/24/2023, 9:44 PM
    @Larry Gryziak has left the channel
  • o

    oneiroi

    03/29/2023, 4:04 PM
    Hi All, Has anyone notice an issue with the Osquery 
    iptables
    virtual table returning nothing ? I've dug into the source code and have a potential theory why this issues exists, but also wanted to reach out here incase anyone has seen this "gotcha". ?
    p
    s
    • 3
    • 8
  • v

    victor_bui

    04/04/2023, 7:36 AM
    my osquery stop long time and now start again. But I see many old tasks of scheduler run. How to remove/clean old task list?
  • d

    Daniel Moore

    04/13/2023, 2:26 PM
    @Daniel Moore has left the channel
  • d

    defensivedepth

    04/14/2023, 12:40 AM
    Short version is that the osqueryd binary in the tarball is being generated with debug symbols but the one in the rpm isnt 200mb in the tarball vs. 49mb in the rpm
  • s

    Slackbot

    06/08/2023, 11:19 AM
    This message was deleted.
    d
    • 2
    • 2
  • k

    Kevin Pointer

    08/24/2023, 2:53 PM
    @Kevin Pointer has left the channel
  • r

    Ronald Cardoso

    11/07/2023, 3:23 PM
    @Ronald Cardoso has left the channel
  • c

    Chris Jones

    11/28/2023, 5:26 PM
    👋 Hi Folks, Has anyone tried to get data akin to needrestart / needs-restarting ?
  • s

    seph

    11/29/2023, 1:41 AM
    IIRC ubuntu stores that as a file, can you check it’s existence?