osquery #linux

Peter

08/05/2021, 2:57 PM

Hey there, I'm having a bit of a hard time tracking down where some

socket_events

may be disappearing to. On a low load development machine I've been finding that I don't appear to be entries in the

socket_events

table for some connections, whereas others are just fine. I was wondering if someone could point me in the right direction of how to debug this a bit further? 🧵

Robin Powell

09/24/2021, 6:43 PM

I'm trying to understand https://github.com/osquery/osquery/pull/7132 and its impact better; I have easy access to 4.9.0 in my environment but not 5.0, so, can someone give me an example of a query with

pid_with_namespace

query that'll actually work on 4.9? Like I think I want something like

select * from deb_packages where pid_with_namespace=???

, where ??? points to a container that's running something debian-flavored, but I'm not sure what that should be or the results I should expect.

julient

09/26/2021, 1:48 PM

I have the following query in my scheduled ones: "select authorized_keys.* from users join authorized_keys using (uid);" Problem, it creates a spam of warning messages for all users where no such file exists "Cannot open file for reading: /.ssh/authorized_keys2" Is there a way to make query not doing this warning or to silent the corresponding log pattern? spamming log for no reason Following https://defensivedepth.com/2019/02/21/osquery-join-with-users-table-not-returning-results/, I tried "select authorized_keys.* from users cross join authorized_keys using (uid);" but same results "select authorized_keys.* from authorized_keys;" only get warning for user who have one file but not the other (authorized_keys2 vs authorized_keys) Thanks

Mike Tonks

10/16/2021, 9:56 AM

Hi, I'm trying out osquery for the first time, and looks good but I'm getting nothing under disk_encryption. This is one of the key things I'm looking to audit. I'm using ubuntu and the disk was fully encrypted during the install, I think it uses LVM.

George

11/16/2021, 3:24 PM

Hi, I'm running osquery on linux with process auditing via eBPF enabled. I've been using https://github.com/hillu/edr-loadgen/blob/master/edr-loadgen.go to check performance stats and I'm getting the same ~20% cpu usage results regardless of how many execs/s I run. I'm unsure if I'm missing something but I can't find any documentation that suggests CPU usage is limited to max 20%? I'm not very knowledgeable on Linux performance testing so it's quite possible I may have something configured wrong.

MoodyMudit

02/21/2022, 1:03 PM

Hi, I am fetching some data using osquery’s crontab table. There are some ambiguous entries which are getting listed. Can someone please help me understand why this is happening. Here is the data fetched.

{  
   command: {}'.format(e))
   path: /etc/cron.d/sched_prov.py
   day_of_month: enforce
   day_of_week: endpoints:
   hour: to
   minute: print('Failed
   month: maintenance
 }

Mystery Incorporated

03/20/2022, 11:07 AM

I notice that even tho I am running Ubuntu 20.4.4 it always reports as 20.4.0

Mystery Incorporated

03/20/2022, 11:08 AM

Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

Mystery Incorporated

03/20/2022, 11:09 AM

Unsure actually if that's an OSQuery thing or a fleet thing

Mystery Incorporated

03/20/2022, 11:10 AM

NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="<https://www.ubuntu.com/>"
SUPPORT_URL="<https://help.ubuntu.com/>"
BUG_REPORT_URL="<https://bugs.launchpad.net/ubuntu/>"
PRIVACY_POLICY_URL="<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy>"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

seph

03/20/2022, 11:43 AM

What query is fleet using?

Mystery Incorporated

03/20/2022, 1:46 PM

I'm not sure because it's just whatever fleet does to detect the os out of the box

Stefano Bonicatti

03/20/2022, 2:42 PM

Likely caused by osquery, which uses the

VERSION_ID

to parse the SEMVER parts:

select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+

Stefano Bonicatti

03/20/2022, 2:53 PM

I say "caused", but to be fair also the

os-release

file format is not one of the best, given that every distro does what it wants, kind of

Mystery Incorporated

03/21/2022, 12:24 AM

Hmm even then fleet seems to be trimming the 04 to 4 and putting a superfluous .0 on the end

Mystery Incorporated

03/21/2022, 12:26 AM

or they are just grabbing and concatenating major + minor + patch actually now I look at that again, so I'm guessing they are doing

var OS=major+.+minor+.+patch

to describe in pseudocode

Mystery Incorporated

03/21/2022, 12:28 AM

Perhaps some platform specific logic may be needed for Ubuntu to grab version and then substr anything to the left of LTS

Nick Klauer

06/07/2022, 8:25 PM

I didn’t realize there was a separate channel just for Linux, so I’m cross-posting my question here

zwass

08/17/2022, 10:20 PM

Is there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with

docker_containers

table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is

select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);

(eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the

pid_with_namespace

column @Stefano Bonicatti added to some tables.

defensivedepth

08/18/2022, 1:51 AM

Trying to dig back into the history of when the linux osqueryd binary increased in size.... Anyone recall why it increased so dramatically from

4.9

44mb ------>

5.0

196mb ?

Artemis Tosini

08/18/2022, 7:13 PM

I'm looking at adding some containerd tables. Unfortunately the API is via grpc so we'd require grpc as a dependancy and either pregenerate the C++ with protoc or use protoc at build time, does anyone have opinions?

Sagar Patil

08/25/2022, 4:24 AM

Can anyone please help me with scheduled queries for docker and Linux environment for improving incident detection and response program.

MChorfa

11/02/2022, 12:12 PM

Hello 🖖 I followed the docs after the deployment of the fleet server. generated the deb package. but was not able to run it .. Am I missing something ? OH tried with dpkg same issue

mchorfa@mchorfa-linux-02:~/tmp$ sudo apt install fleet-osquery_1.3.0_amd64.deb
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package fleet-osquery_1.3.0_amd64.deb

MChorfa

11/02/2022, 12:13 PM

mchorfa@mchorfa-linux-02:~/tmp$ sudo dpkg  --install fleet-osquery_1.3.0_amd64.deb
(Reading database ... 447044 files and directories currently installed.)
Preparing to unpack fleet-osquery_1.3.0_amd64.deb ...
Failed to stop orbit.service: Unit orbit.service not loaded.
Failed to disable unit: Unit file orbit.service does not exist.
Unpacking fleet-osquery (1.3.0) over (1.3.0) ...
Setting up fleet-osquery (1.3.0) ...
Failed to restart orbit.service: Unit orbit.service not found.
dpkg: error processing package fleet-osquery (--install):
 installed fleet-osquery package post-installation script subprocess returned error exit status 5
Errors were encountered while processing:
 fleet-osquery

Michael

11/09/2022, 6:44 AM

Hello. I'm trying to package osquery for my distribution of choice. I'm running into a lot of trouble getting the build to find system augeas, is there some flag I need to be passing to get the build to find system libraries?

Larry Gryziak

02/24/2023, 9:44 PM

@Larry Gryziak has left the channel

oneiroi

03/29/2023, 4:04 PM

Hi All, Has anyone notice an issue with the Osquery

iptables

virtual table returning nothing ? I've dug into the source code and have a potential theory why this issues exists, but also wanted to reach out here incase anyone has seen this "gotcha". ?

victor_bui

04/04/2023, 7:36 AM

my osquery stop long time and now start again. But I see many old tasks of scheduler run. How to remove/clean old task list?

Daniel Moore

04/13/2023, 2:26 PM

@Daniel Moore has left the channel

defensivedepth

04/14/2023, 12:40 AM

Short version is that the osqueryd binary in the tarball is being generated with debug symbols but the one in the rpm isnt 200mb in the tarball vs. 49mb in the rpm