I wonder if this is a bug or a feature The command `select f osquery #general

I wonder if this is a bug or a feature? The comma...

HarlanF

03/30/2022, 2:33 PM

I wonder if this is a bug or a feature? The command

select * from users

only comes up with local users, as the documentation states. Thus, anything I join it to (like

shell_history

) is similarly only local users. However, if you put in a where clause that calls out a specific username or uid, it'll grab information about non-local users (like myself, so easy to test). Is there some way to enumerate all the users?

HarlanF

03/30/2022, 2:33 PM

If it matters, I'm seeing this in v5.2.2 on CentOS Stream release 8

Stefano Bonicatti

03/30/2022, 2:42 PM

What do you mean non-local users in the context of Linux? How are you connecting to that machine?

Stefano Bonicatti

03/30/2022, 2:46 PM

oh sorry you mean users through ldap for instance

Stefano Bonicatti

03/30/2022, 2:51 PM

So this is a side effect of the underlying system APIs the osquery uses. There’s currently no way to list non-local users/domain users; the API used by osquery loops through users that are defined in

/etc/passwd

(

getpwent_r

) But when you provide a uid, that uses

getpwuid_r

which also passes through the various translation layers, if defined, like NIS or LDAP.

Stefano Bonicatti

03/30/2022, 2:58 PM

And no, there’s currently no way to list all users. Although I wonder what all means. All the ones that the client knows (because they interacted in some way), or all the users that could interact with it? (possibly thousands of domain users?)

11 Views

Open in Slack

Previous Next