linux
  • m

    MaxosxOsquery

    02/03/2021, 5:05 PM
    #linux is it possible to read the content of the file using osquery in linux ?
  • j

    Joffrey

    06/07/2021, 8:55 AM
    Hi there 👋 Glad to join the osquery community 🙂 already got a question for you guys, i would like to build osquery on alpine linux, does anyone already tried ? i've read that was not supported but does it means that will not work in any case ? Many thanks
  • MoodyMudit

    MoodyMudit

    07/28/2021, 7:01 AM
    Hi, I am trying to capture process_events in Linux using the process_events table. Is it possible to identify from the event, that the process was started or terminated? As an example, I captured the following event, but there is no identifying information about the status of the process. OS used is CentOS7.
    {
      "counter": 0,
      "unixTime": 1627455088,
      "atime": "1627454699",
      "auid": "1000",
      "btime": "0",
      "cmdline": "python3",
      "ctime": "1610552918",
      "cwd": "/",
      "egid": "0",
      "euid": "0",
      "fsgid": "0",
      "fsuid": "0",
      "gid": "0",
      "mode": "0100755",
      "mtime": "1605545975",
      "owner_gid": "0",
      "owner_uid": "0",
      "parent": "7041",
      "path": "/usr/bin/python3.6",
      "pid": "9888",
      "sgid": "0",
      "suid": "0",
      "syscall": "execve",
      "time": "1627454887",
      "uid": "0",
      "uptime": "16902318"
    }
  • Peter

    Peter

    08/05/2021, 2:57 PM
    Hey there, I'm having a bit of a hard time tracking down where some
    socket_events
    may be disappearing to. On a low load development machine I've been finding that I don't appear to be entries in the
    socket_events
    table for some connections, whereas others are just fine. I was wondering if someone could point me in the right direction of how to debug this a bit further? 🧵
  • r

    Robin Powell

    09/24/2021, 6:43 PM
    I'm trying to understand https://github.com/osquery/osquery/pull/7132 and its impact better; I have easy access to 4.9.0 in my environment but not 5.0, so, can someone give me an example of a query with
    pid_with_namespace
    query that'll actually work on 4.9? Like I think I want something like
    select * from deb_packages where pid_with_namespace=???
    , where ??? points to a container that's running something debian-flavored, but I'm not sure what that should be or the results I should expect.
  • j

    julient

    09/26/2021, 1:48 PM
    I have the following query in my scheduled ones: "select authorized_keys.* from users join authorized_keys using (uid);" Problem, it creates a spam of warning messages for all users where no such file exists "Cannot open file for reading: /.ssh/authorized_keys2" Is there a way to make query not doing this warning or to silent the corresponding log pattern? spamming log for no reason Following https://defensivedepth.com/2019/02/21/osquery-join-with-users-table-not-returning-results/, I tried "select authorized_keys.* from users cross join authorized_keys using (uid);" but same results "select authorized_keys.* from authorized_keys;" only get warning for user who have one file but not the other (authorized_keys2 vs authorized_keys) Thanks
  • m

    Mike Tonks

    10/16/2021, 9:56 AM
    Hi, I'm trying out osquery for the first time, and looks good but I'm getting nothing under disk_encryption. This is one of the key things I'm looking to audit. I'm using ubuntu and the disk was fully encrypted during the install, I think it uses LVM.
  • g

    George

    11/16/2021, 3:24 PM
    Hi, I'm running osquery on linux with process auditing via eBPF enabled. I've been using https://github.com/hillu/edr-loadgen/blob/master/edr-loadgen.go to check performance stats and I'm getting the same ~20% cpu usage results regardless of how many execs/s I run. I'm unsure if I'm missing something but I can't find any documentation that suggests CPU usage is limited to max 20%? I'm not very knowledgeable on Linux performance testing so it's quite possible I may have something configured wrong.
  • MoodyMudit

    MoodyMudit

    02/21/2022, 1:03 PM
    Hi, I am fetching some data using osquery’s crontab table. There are some ambiguous entries which are getting listed. Can someone please help me understand why this is happening. Here is the data fetched.
    {  
       command: {}'.format(e))
       path: /etc/cron.d/sched_prov.py
       day_of_month: enforce
       day_of_week: endpoints:
       hour: to
       minute: print('Failed
       month: maintenance
     }
  • Mystery Incorporated

    Mystery Incorporated

    03/20/2022, 11:07 AM
    I notice that even tho I am running Ubuntu 20.4.4 it always reports as 20.4.0
  • Mystery Incorporated

    Mystery Incorporated

    03/20/2022, 11:08 AM
    Distributor ID: Ubuntu
    Description:    Ubuntu 20.04.4 LTS
    Release:        20.04
    Codename:       focal
  • Mystery Incorporated

    Mystery Incorporated

    03/20/2022, 11:09 AM
    Unsure actually if that's an OSQuery thing or a fleet thing
  • Mystery Incorporated

    Mystery Incorporated

    03/20/2022, 11:10 AM
    NAME="Ubuntu"
    VERSION="20.04.4 LTS (Focal Fossa)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 20.04.4 LTS"
    VERSION_ID="20.04"
    HOME_URL="<https://www.ubuntu.com/>"
    SUPPORT_URL="<https://help.ubuntu.com/>"
    BUG_REPORT_URL="<https://bugs.launchpad.net/ubuntu/>"
    PRIVACY_POLICY_URL="<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy>"
    VERSION_CODENAME=focal
    UBUNTU_CODENAME=focal
  • s

    seph

    03/20/2022, 11:43 AM
    What query is fleet using?
  • Mystery Incorporated

    Mystery Incorporated

    03/20/2022, 1:46 PM
    I'm not sure because it's just whatever fleet does to detect the os out of the box
  • Stefano Bonicatti

    Stefano Bonicatti

    03/20/2022, 2:42 PM
    Likely caused by osquery, which uses the
    VERSION_ID
    to parse the SEMVER parts:
    select * from os_version;
    +--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
    | name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
    +--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
    | Ubuntu | 20.04.3 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
    +--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
  • Stefano Bonicatti

    Stefano Bonicatti

    03/20/2022, 2:53 PM
    I say "caused", but to be fair also the
    os-release
    file format is not one of the best, given that every distro does what it wants, kind of
  • Mystery Incorporated

    Mystery Incorporated

    03/21/2022, 12:24 AM
    Hmm even then fleet seems to be trimming the 04 to 4 and putting a superfluous .0 on the end
  • Mystery Incorporated

    Mystery Incorporated

    03/21/2022, 12:26 AM
    or they are just grabbing and concatenating major + minor + patch actually now I look at that again, so I'm guessing they are doing
    var OS=major+.+minor+.+patch
    to describe in pseudocode
  • Mystery Incorporated

    Mystery Incorporated

    03/21/2022, 12:28 AM
    Perhaps some platform specific logic may be needed for Ubuntu to grab version and then substr anything to the left of LTS
  • n

    Nick Klauer

    06/07/2022, 8:25 PM
    I didn’t realize there was a separate channel just for Linux, so I’m cross-posting my question here
  • s

    Sagar Patil

    08/08/2022, 5:05 PM
    message has been deleted
  • zwass

    zwass

    08/17/2022, 10:20 PM
    Is there a good way to tell whether a process is part of a container (independent of the runtime, I know docker containers could be found with
    docker_containers
    table)? Not sure if @Artemis Tosini’s cgroup work will help with this. In current osquery, best I've come up with is
    select * from processes join process_namespaces using (pid) where cgroup_namespace != (select cgroup_namespace from process_namespaces where pid = 1);
    (eg. check for a different cgroup than the init process), though I think this will pick up other processes using cgroups besides just containers. I'm looking to do this in order to take advantage of the
    pid_with_namespace
    column @Stefano Bonicatti added to some tables.
  • defensivedepth

    defensivedepth

    08/18/2022, 1:51 AM
    Trying to dig back into the history of when the linux osqueryd binary increased in size.... Anyone recall why it increased so dramatically from
    4.9
    44mb ------>
    5.0
    196mb ?
  • a

    Artemis Tosini

    08/18/2022, 7:13 PM
    I'm looking at adding some containerd tables. Unfortunately the API is via grpc so we'd require grpc as a dependancy and either pregenerate the C++ with protoc or use protoc at build time, does anyone have opinions?
  • s

    Sagar Patil

    08/25/2022, 4:24 AM
    Can anyone please help me with scheduled queries for docker and Linux environment for improving incident detection and response program.
  • m

    MChorfa

    11/02/2022, 12:12 PM
    Hello 🖖 I followed the docs after the deployment of the fleet server. generated the deb package. but was not able to run it .. Am I missing something ? OH tried with dpkg same issue
    mchorfa@mchorfa-linux-02:~/tmp$ sudo apt install fleet-osquery_1.3.0_amd64.deb
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    E: Unable to locate package fleet-osquery_1.3.0_amd64.deb
  • m

    MChorfa

    11/02/2022, 12:13 PM
    mchorfa@mchorfa-linux-02:~/tmp$ sudo dpkg  --install fleet-osquery_1.3.0_amd64.deb
    (Reading database ... 447044 files and directories currently installed.)
    Preparing to unpack fleet-osquery_1.3.0_amd64.deb ...
    Failed to stop orbit.service: Unit orbit.service not loaded.
    Failed to disable unit: Unit file orbit.service does not exist.
    Unpacking fleet-osquery (1.3.0) over (1.3.0) ...
    Setting up fleet-osquery (1.3.0) ...
    Failed to restart orbit.service: Unit orbit.service not found.
    dpkg: error processing package fleet-osquery (--install):
     installed fleet-osquery package post-installation script subprocess returned error exit status 5
    Errors were encountered while processing:
     fleet-osquery
  • m

    Michael

    11/09/2022, 6:44 AM
    Hello. I'm trying to package osquery for my distribution of choice. I'm running into a lot of trouble getting the build to find system augeas, is there some flag I need to be passing to get the build to find system libraries?