process-auditing
  • clong

    clong

    11/10/2017, 7:27 PM
    i wrote a guide to installing osquery and go-audit in this mode here: https://medium.com/@clong/building-a-testbed-for-go-audit-osquery-ea4c0271b0c
  • m

    mdunten

    12/07/2017, 3:35 PM
    @clippy good news is i got process_events to work on ubuntu (so faith restored in the tool!) Will need to continue to work on issues with Centos as that is where I intend to use it. Thanks again
  • a

    alessandrogario

    02/24/2018, 10:44 AM
    @jaredl can you paste the output of --verbose? (you can just append that flag to your osquery.flags)
  • s

    steffen

    05/11/2018, 8:59 AM
    I am trying to bring process and socket events together. Socket audit (i.e. socket_events) already report the pid, so I thought I can easily match it with process audit (i.e. process_events). Although this works well in case doing a ping, it does not work in case of curling. From the curl example you can see that there was the pid 12425 being able to make a connect call to google on port 80. However, this pid does not appear in the process_events. Any idea what the reason is?
  • m

    maestretti

    05/11/2018, 5:45 PM
    Executes and exits too quickly?
  • clong

    clong

    06/21/2018, 3:29 AM
    the TL;DR is that i can only semi-reproduce the issue on a VM. It seems to only affect osquery installs that have gone through a long upgrade chain. The good news is that downgrading seems to be a workaround that doesnt involve nuking the DB: https://github.com/facebook/osquery/issues/4615
  • clong

    clong

    08/27/2018, 5:58 PM
    anyone here ever use cgroups for osquery on linux? @8p8c i think possibly you mentioned this at some point?
  • pirxthepilot

    pirxthepilot

    09/25/2018, 5:59 PM
    As i understand it, process auditing only logs
    execve
    syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (
    sethostname
    ,
    settimeofday
    etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than
    execve
    .
  • k

    keepwatch

    07/10/2019, 6:48 PM
    Osquery isn't behaving the way I (naively?) expected it to. I'm testing this command: wget -q -O- https://gist.githubusercontent.com/keepwatch/758bdc149bd9e96930ff167a94a02850/raw/e891e9c7e84052e2cb1df03b84202cc316c71407/logb.txt | base64 -d | /bin/bash I was hoping to have some way to relate the initial and piped processes - wget, base64, and the second bash shell (executes the script). However, the process auditing events I received all have the same parent (the original bash shell where I ran this command), and I don't see any fields containing my pipe-separated command line (just the cmdline for each process). Are there any other ways (beyond time correlation) to determine that these processes are intimately related?
  • p

    Prash

    08/27/2019, 7:24 AM
    When I add "- -a never,exit -F exe=/usr/bin/osqueryd -S all" in goaudit.yaml and start process
  • a

    Avi Apelbaum

    03/19/2020, 8:39 AM
    Hi All below is my Flag file, for some reason I do not receive any event to my tls server. For some reason I am getting
    Event publisher not enabled: syslog: Publisher disabled via configuration"
    Any idea someone ? Flag File:
    --watchdog_level=0
    --watchdog_memory_limit=300
    --host_identifier=uuid
    --tls_hostname=kolide-server:443
    --tls_server_certs=/etc/osquery/ca.crt
    --config_plugin=tls
    --distributed_plugin=tls
    --logger_plugin=tls
    --enroll_tls_endpoint=/api/v1/osquery/enroll
    --config_tls_endpoint=/api/v1/osquery/config
    --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
    --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
    --logger_tls_endpoint=/api/v1/logger
    --config_refresh=300
    --config_tls_max_attempts=20
    --enroll_always=true
    --disable_distributed=false
    --distributed_interval=0
    --enroll_secret_path=/etc/osquery/enroll
    --database_path=/var/osquery/osquery.db
    --pidfile=/var/run/osqueryd.pid
    --logger_path=/var/log/osquery
    --audit_allow_config=true
    --audit_allow_fim_events=true
    --audit_allow_process_events=true
    --audit_allow_sockets=true
    --audit_allow_user_events=true
    --audit_force_reconfigure=true
    --audit_persist=false
    --disable_audit=false
    --enable_dns_lookups=true
    --logger_tls_event_types="user_events|process_events|process_file_events|socket_events|dns_lookup_events|file_events|http_events"
    --events_max=1000
    --disable_events_staging=false
    --windows_event_channels=Security,System,Application,Setup
    --win_enable_dns_lookups=true
    --win_allow_sockets=true
    --win_allow_process_events=true
    --win_allow_logon_events=true
    --win_allow_fim_events=true
    --win_allow_drive_events=true
    --win_allow_reg_events=true
    --enable_windows_kernel_events=true
    --allow_inotify_file_events=false
    --audit_records_rate=10000
    --logger_tls_compress=true
    --enable_wmi=true
    --enable_http_lookups=true
    --process_ancestor_list=true
    --audit_force_unconfigure=true
    --audit_source_dispatcher=true
    --watchdog_utilization_limit=21
    --generate_process_hash_in_process_event=true
  • p

    Premkumar R

    03/26/2020, 1:14 PM
    We are facing issue on MAC with OSQuery agent 4.x, It is not returning any values for cmdline. I saw a open issue for windows, where windows agent is not able to grasp cmdline from PPL. Is this issue exists in MAC agent too? could please let me know the root cause of this issue Is there any workaround to fix this issue?
    osquery> select pid, name, start_time, cmdline from processes Limit 15;
    +-----+----------------+------------+---------+
    | pid | name           | start_time | cmdline |
    +-----+----------------+------------+---------+
    | 0   | kernel_task    | 1584971117 |         |
    | 1   | launchd        | 1584971117 |         |
    | 42  | syslogd        | 1584971127 |         |
    | 43  | UserEventAgent | 1584971127 |         |
    | 45  | sh             | 1584971127 |         |
    | 47  | uninstalled    | 1584971127 |         |
    | 48  | kextd          | 1584971127 |         |
    | 49  | fseventsd      | 1584971127 |         |
    | 51  | jamf           | 1584971127 |         |
    | 52  | vpnagentd      | 1584971127 |         |
    | 57  | appleeventsd   | 1584971127 |         |
    | 58  | systemstats    | 1584971127 |         |
    | 60  | configd        | 1584971127 |         |
    | 62  | ciscod         | 1584971127 |         |
    | 63  | powerd         | 1584971127 |         |
    +-----+----------------+------------+---------+
  • a

    alessandrogario

    03/26/2020, 2:58 PM
    but yeah, as teddy mentioned:
    sudo osqueryi --verbose 'SELECT * FROM processes;'
  • h

    Henry Xu

    04/28/2020, 6:36 AM
    I am pretty new to the osquery world. we are running our Kubernetes cluster in our data center, and osquery agent has been installed at the worker node host level, which is able to fill the virtual table as well as the event table. everything works perfectly. Currently, we are moving our system into AWS as well as GCP, we will not able to install osquery agent at the worker node level, we need to install it as daemonset, once osquery agent in daemonset, we are not able to get the host audit event. how could we solve this problem? any help will be appreciated.
  • p

    poisonous97

    06/07/2020, 4:37 PM
    hello every body, i am using CentOS 7. The process_event not working
    osqueryi --nodisable_audit --nodisable_events --audit_allow_config=true --audit_persist=true --audit_allow_sockets --logger_plugin=filesystem --events_expiry=1
  • a

    alessandrogario

    12/16/2020, 6:22 PM
    what kind of system calls would you like to trace?
  • m

    Maksym Varnakov

    10/31/2022, 4:45 PM
    Hi all, Trying to include parent process path (ppath) in the output of process_events table. The query below works great via osqueryi, but ppath field is always empty in scheduled query. The issue is in the events_optimize flag that limits the time column.
    SELECT time, pid, path, parent AS ppid, (SELECT path FROM process_events AS pp WHERE pp.pid=p.parent) ppath FROM process_events AS p WHERE syscall='execve';
    Does anybody know any workaround or fix to have ppath included? I would really appreciate any help 🙂