osquery #linux

Fran Rodríguez

06/18/2020, 4:08 PM

Hi someone know what this means:

Copy code

I0618 16:07:50.096029 13511 auditdnetlink.cpp:616] Failed to acquire the netlink handle

theopolis

06/22/2020, 9:22 PM

I wish I could answer your question specifically but I've never seen that error. I'm not at a computer right now so I cannot provide examples, but I wanted to ask a set of standard audit questions like the output of the audit control summary, if any other audit-related processes were running, what your osquery config looks like (maybe more questions I cannot remember right now).

Antoinette

06/26/2020, 6:46 PM

Would I be correct in thinking that the users table is limited in that it doesn't identify LDAP users on the box?

binu

07/01/2020, 5:34 PM

Any free ui tools available for view osquery_result log ?

Hugh (Zercurity)

07/10/2020, 11:11 AM

of the users mouse activity? applications? or just general system CPU usage?

theopolis

08/07/2020, 1:12 PM

That’s fairly private information, we choose not to make a browser history table explicitly.

👍 2

theopolis

08/26/2020, 3:10 PM

I don’t have the code in front of me right now but it sounds like osquery’s information is incomplete, meaning it does not expose all of /proc/meminfo. You might need to change the information provided in the memory_info table.

Stefano Bonicatti

08/26/2020, 3:32 PM

https://github.com/osquery/osquery/blob/a19d910d214e37b893e9e701d3fd17c60c9e0e55/osquery/tables/system/linux/memory_info.cpp#L27 it should have the memory_free column though?

rmbowie

08/26/2020, 5:58 PM

Are there guidelines for porting to a new processor family? I'm porting to linux on power, I now have osquery-toolchain and now I'm working through the third party stuff.. Once I make it work I was planning to make it right by following the pattern for aarch64 which maybe will always be a separate branch?

theresa

09/25/2020, 9:16 AM

Dear all, can a kind soul please help me debug my osquery.conf? It's driving me mad. As soon as I enable the osquery packs, it stops working and fails to parse the config.

Copy code

{
    "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "utc": "true"
  },

  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
    }
  },

  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  Linux: /usr/share/osquery/packs
  "packs": {
    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
  },
}

Mystery Incorporated

12/05/2020, 11:52 AM

Yo, is it possible to detect addition/removal of UFW rules on Linux?

theopolis

12/30/2020, 5:00 PM

You can follow along with each release by checking the associated issue https://github.com/osquery/osquery/issues/6810

MaxosxOsquery

02/03/2021, 5:05 PM

#linux is it possible to read the content of the file using osquery in linux ?

Joffrey

06/07/2021, 8:55 AM

Hi there 👋 Glad to join the osquery community 🙂 already got a question for you guys, i would like to build osquery on alpine linux, does anyone already tried ? i've read that was not supported but does it means that will not work in any case ? Many thanks

👋 1

MoodyMudit

07/28/2021, 7:01 AM

Hi, I am trying to capture process_events in Linux using the process_events table. Is it possible to identify from the event, that the process was started or terminated? As an example, I captured the following event, but there is no identifying information about the status of the process. OS used is CentOS7.

Copy code

{
  "counter": 0,
  "unixTime": 1627455088,
  "atime": "1627454699",
  "auid": "1000",
  "btime": "0",
  "cmdline": "python3",
  "ctime": "1610552918",
  "cwd": "/",
  "egid": "0",
  "euid": "0",
  "fsgid": "0",
  "fsuid": "0",
  "gid": "0",
  "mode": "0100755",
  "mtime": "1605545975",
  "owner_gid": "0",
  "owner_uid": "0",
  "parent": "7041",
  "path": "/usr/bin/python3.6",
  "pid": "9888",
  "sgid": "0",
  "suid": "0",
  "syscall": "execve",
  "time": "1627454887",
  "uid": "0",
  "uptime": "16902318"
}

Peter

08/05/2021, 2:57 PM

Hey there, I'm having a bit of a hard time tracking down where some

socket_events

may be disappearing to. On a low load development machine I've been finding that I don't appear to be entries in the

socket_events

table for some connections, whereas others are just fine. I was wondering if someone could point me in the right direction of how to debug this a bit further? 🧵

Robin Powell

09/24/2021, 6:43 PM

I'm trying to understand https://github.com/osquery/osquery/pull/7132 and its impact better; I have easy access to 4.9.0 in my environment but not 5.0, so, can someone give me an example of a query with

pid_with_namespace

query that'll actually work on 4.9? Like I think I want something like

select * from deb_packages where pid_with_namespace=???

, where ??? points to a container that's running something debian-flavored, but I'm not sure what that should be or the results I should expect.

julient

09/26/2021, 1:48 PM

I have the following query in my scheduled ones: "select authorized_keys.* from users join authorized_keys using (uid);" Problem, it creates a spam of warning messages for all users where no such file exists "Cannot open file for reading: /.ssh/authorized_keys2" Is there a way to make query not doing this warning or to silent the corresponding log pattern? spamming log for no reason Following https://defensivedepth.com/2019/02/21/osquery-join-with-users-table-not-returning-results/, I tried "select authorized_keys.* from users cross join authorized_keys using (uid);" but same results "select authorized_keys.* from authorized_keys;" only get warning for user who have one file but not the other (authorized_keys2 vs authorized_keys) Thanks

Mike Tonks

10/16/2021, 9:56 AM

Hi, I'm trying out osquery for the first time, and looks good but I'm getting nothing under disk_encryption. This is one of the key things I'm looking to audit. I'm using ubuntu and the disk was fully encrypted during the install, I think it uses LVM.

George

11/16/2021, 3:24 PM

Hi, I'm running osquery on linux with process auditing via eBPF enabled. I've been using https://github.com/hillu/edr-loadgen/blob/master/edr-loadgen.go to check performance stats and I'm getting the same ~20% cpu usage results regardless of how many execs/s I run. I'm unsure if I'm missing something but I can't find any documentation that suggests CPU usage is limited to max 20%? I'm not very knowledgeable on Linux performance testing so it's quite possible I may have something configured wrong.

MoodyMudit

02/21/2022, 1:03 PM

Hi, I am fetching some data using osquery’s crontab table. There are some ambiguous entries which are getting listed. Can someone please help me understand why this is happening. Here is the data fetched.

Copy code

{  
   command: {}'.format(e))
   path: /etc/cron.d/sched_prov.py
   day_of_month: enforce
   day_of_week: endpoints:
   hour: to
   minute: print('Failed
   month: maintenance
 }

Mystery Incorporated

03/20/2022, 11:07 AM

I notice that even tho I am running Ubuntu 20.4.4 it always reports as 20.4.0

Mystery Incorporated

03/20/2022, 11:08 AM

Copy code

Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

Mystery Incorporated

03/20/2022, 11:09 AM

Unsure actually if that's an OSQuery thing or a fleet thing

Mystery Incorporated

03/20/2022, 11:10 AM

Copy code

NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="<https://www.ubuntu.com/>"
SUPPORT_URL="<https://help.ubuntu.com/>"
BUG_REPORT_URL="<https://bugs.launchpad.net/ubuntu/>"
PRIVACY_POLICY_URL="<https://www.ubuntu.com/legal/terms-and-policies/privacy-policy>"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

seph

03/20/2022, 11:43 AM

What query is fleet using?

Mystery Incorporated

03/20/2022, 1:46 PM

I'm not sure because it's just whatever fleet does to detect the os out of the box

Stefano Bonicatti

03/20/2022, 2:42 PM

Likely caused by osquery, which uses the

VERSION_ID

to parse the SEMVER parts:

Copy code

select * from os_version;
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| name   | version                   | major | minor | patch | build | platform | platform_like | codename | arch   |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+
| Ubuntu | 20.04.3 LTS (Focal Fossa) | 20    | 4     | 0     |       | ubuntu   | debian        | focal    | x86_64 |
+--------+---------------------------+-------+-------+-------+-------+----------+---------------+----------+--------+

Stefano Bonicatti

03/20/2022, 2:53 PM

I say "caused", but to be fair also the

os-release

file format is not one of the best, given that every distro does what it wants, kind of

Mystery Incorporated

03/21/2022, 12:24 AM

Hmm even then fleet seems to be trimming the 04 to 4 and putting a superfluous .0 on the end