Hello. anyone seeing osquery going crazy cpu with "osqueryd worker (pid) stopping: Maximum sustainaible utilization limit exceeded" and killed every 15sec or so? almost no other messages but a few hundred query results (network connections and process) vs 4k limit exceeded a day... trying to get more info on setup. Thanks

Does anyone have a work-around for make-deps failing on linux? [+] checking for updates to brew HEAD is now at c324fccf9 shims/super/cc: Use cc on Linux (#727) [+] refreshing local tap: osquery-local [+] dissabling brew analytics Error: Running Homebrew as root is extremely dangerous and no longer supported. As Homebrew does not drop privileges on installation you would be giving all build scripts full access to your system. Makefile229 recipe for target 'deps' failed make: * [deps] Error 1

Is there a known memory leak in rpm_packages? I don't see an open issue. The code looks to be missing a couple or rpmtdFree() calls

your flagfile : --enable_syslog=true

could also be the syslog hang bug (fix: https://github.com/facebook/osquery/pull/5259)

I have a trouble with

googletest

(

libgtest.a

) while compiling osquery using qcreator on

4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux

. It compiles with

make

though. Have anyone experienced such problem? I tried to install

googletest

and

libgtest-dev

packages and ran

make deps

already.

17:13:40: Running steps for project OSQUERY...
17:13:40: Starting: "/usr/local/bin/cmake" --build . --target all
[  1%] Linking CXX static library libgtest.a
Error running link command: No such file or directory
third-party/googletest/googlemock/gtest/CMakeFiles/gtest.dir/build.make:83: recipe for target 'third-party/googletest/googlemock/gtest/libgtest.a' failed
make[2]: *** [third-party/googletest/googlemock/gtest/libgtest.a] Error 2
make[1]: *** [third-party/googletest/googlemock/gtest/CMakeFiles/gtest.dir/all] Error 2
CMakeFiles/Makefile2:369: recipe for target 'third-party/googletest/googlemock/gtest/CMakeFiles/gtest.dir/all' failed
Makefile:140: recipe for target 'all' failed
make: *** [all] Error 2
17:13:40: The process "/usr/local/bin/cmake" exited with code 2.
Error while building/deploying project OSQUERY (kit: Desktop)
When executing step "Make"
17:13:40: Elapsed time: 00:00.

Hi, I was looking at user_events on linux when an ssh login fails. It looks like the message field truncates anything after the first space. Thoughts? (will post details in thread)

Has anyone seen issues with 4.0.2 on linux where a config using an extension has issues creating /var/run/osquery.em ? boxes were all running 3.3.0 with same config/flags/extension fine prior to upgrading. moving the extension socket location to another location that is not tmpfs fixes it /var/run is not read only

I have not seen this, but it could be that the path is opened by another process? This persists across reboots? I wonder if you set the other path to another tmpfs location?

I was curious to why the process_events table has a field for auid but the processes table doesn't. Anyone have some insight?

could anyone help me logic around what i think is a bug in the provided init.d script? it looks like

service osqueryd stop

is supposed to wait for all of the processes to die but does not; i'm pretty sure i see the issue but a set of eyes familiar would be great. i'll thread here with some details

What events are you looking for? I ask because there are multiple APIs used and some may expect root, we can investigate the docs and code together.

Hello, I am trying to get all the authorized_keys in a linux host using osquery. It seems to me that osquery will only return the authorized keys of the user it runs as. Is there any way around that?

mmm ok, so maybe I've tried on 19.10. At least I know that on recent kernels they've changed a system header which is used by libaudit and defines something that libaudit was previously defining

has anyone noticed audit rules (and enabled status) not being reset when osquery shuts down and the watchdog is in use? https://github.com/osquery/osquery/pull/6096 mentions that the watchdog signal handlers were removed, so I suspect this is why?

hey! is there a design doc describing osquery’s ebpf ingest mechanism? I’m reading through source now but seeing motivations etc might make things click a bit more readily 😄

Linux folks, what do you think of https://github.com/osquery/osquery/pull/6180/files

@alessandrogario I rebased your patches to 4.2.0 (but it needs more testing). https://github.com/anatol/osquery/commits/archlinux-rebase-4.2.0 Is there any chance that these patches start getting reviewed/merged to

master

?

I see. Those dependencies are the same on the CI since they’re specified in the osquery repo, in the CMake code. I think there are some routing issues with their repository, we (Alessandro and me, from Italy) had some issues to download it too in the last week.

Hello! Would anyone happen to know what linux capability (e.g. http://man7.org/linux/man-pages/man7/capabilities.7.html) is required for the

pid

column of the table

listening_ports

to be populated? I've identified that in my environment we're definitely not providing the needed capability to get that data (it just returns

-1

), but in debugging if i give all capabilities it works. Just not super clear to me based on capabilities/kernel docs or the osquery source code (https://github.com/osquery/osquery/blob/e6fe15eb49660725e65dba1549932ed96e0a8c6e/osquery/tables/networking/linux/process_open_sockets.cpp#L43 -ish?) which one it needs

If you build a TGZ package the augeas lenses are installed in /usr/local/share/osquery/lenses.. but how does osquery pick that up? I see the path is set to /usr/share/osquery/lenses in osquery/tables/system/posix/augeas.cpp but I can't figure out where the /usr/local/share path would be set..

Starting with 4.1.1, I am unable to use the systemd

ProtectSystem=strict

feature. The daemon does not start, but no logs are produced. Does anyone know what changed between 4.0.2 and 4.1.1 that may have caused this? Here’s my full service unit config:

[Unit]
Description=The osquery Daemon
After=network.service syslog.service

[Service]
TimeoutStartSec=0
EnvironmentFile=/etc/default/osqueryd
ExecStartPre=/bin/sh -c "if [ ! -f $CONFIG_FILE ]; then echo {} > $CONFIG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/usr/bin/osqueryd \
  --flagfile $FLAG_FILE \
  --config_path $CONFIG_FILE
Restart=on-failure
KillMode=process
KillSignal=SIGTERM
ProtectSystem=strict
ReadWritePaths=/var/osquery /var/run /var/tmp /tmp

[Install]
WantedBy=multi-user.target

hi, I have a few super micro servers that didn’t show accurate

hardware_xxx

from

system_info

e.g.

hardware_model
Actual: Super Server
Expect: X11SSH-F

hardware_version
Actual: 0123456789
Expect: 1.01

hardware_serial
Actual: 0123456789
Expect: WM199xxxxxxx

after checking

osquery/tables/system/linux/system_info.cpp

, I find out it matches

type 1 (System Information )

only. And the expect value is from

type 2 (Base Board or Module Information)

. I would like to propose several new columns to

system_info

table, i.e.

board_vendor

,

board_model

,

board_version

and

board_serial

, which is similar to

hardware_xxx

. What do you think?

4.3.0 has been pushed to Arch testing repo. Here is the current list of patches used https://github.com/anatol/osquery/tree/4.3.0-archlinux cc @alessandrogario @theopolis

hey, I'm taking a closer look at audit-events (process_events). Looking at the raw data from audit for execve syscall, I can see multiple record-sets with the same pid and ppid. So if 'pid' is for the process doing the execve action, what is the pid of the resulting new process?

@Anatol Pomazau Thanks for all your work on the Arch Linux package. Do you mind clarifying why

rpmtools

and

dpkg

are necessary for these? When building locally, it seems like

git python3 bison flex make

are the only requirements. (I haven't tried to run it though)

i have a extension from the osquery-python. But funtion

generate

not return data

#!/usr/bin/env python
import magic
import json
import osquery
from os import listdir
from os.path import isfile, join

@osquery.register_plugin
class MyTablePlugin(osquery.TablePlugin):
    def name(self):
        return "types_file"
    def columns(self):
        return [
            osquery.TableColumn(name="value", type=osquery.STRING),
            osquery.TableColumn(name="path", type=osquery.STRING),
        ]
    def get_context_list_val(self, val):
        return "" if not val else val[0]["expr"]
    def generate(self, context):
        data = map(lambda x: (x["name"], self.get_context_list_val(x['list'])),
                        json.loads(json.loads(context))["constraints"])

        path = dict(data)["path"]
        onlyfiles = [join(path, f) for f in listdir(path) if isfile(join(path, f))]
        data = []
        for file_name in onlyfiles:
            value = magic.from_file(file_name)
            row = {}
            print(str(file_name))
            row['value'] = value
            row["path"] = str(file_name)
            data.append(row)
        return data
if __name__ == "__main__":
    osquery.start_extension(name="my_awesome_extension", version="1.0.0")

Hi team, is this normal when you run osquery in Ubuntu

root     23309  0.0  0.4 126996 18400 ?        SNsl Jun11   1:40 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf
root     23313  0.0  0.0      0     0 ?        ZNl  Jun11   0:07 [osqueryd] <defunct>

has anyone got to configure osquery and syslog in order to keep results queries in other file than default file?

i wan to send the logs to remote syslog, i can do it with system osqueryd logs but not with results query logs