Hi - Has anyone written any queries for detecting recently logged in users? I'm asking because the "normal" way of detecting SSH keys w/o encryption kind of breaks with network-mounted homes (it tries and fails across 1000s of users)
03/31/2022, 8:09 PM
Hi. @Jason! What's the end goal with that query? Are you wanting to see what users have most recently logged in to a specific host and then use that data to narrow down which users' keys you need to check for encryption?
04/01/2022, 3:21 AM
Its a basic one - looking for unencrypted SSH keys. The problem is if you just look for all keys for users on a system with shared storage, you are doing this check against hundreds (or thousands) of home directories you won't have read access to -- and is also redundant
so I'm really just looking for the SSH keys of the actual users who is using the system (and has their homedir actually mounted with access)
09/21/2022, 8:50 PM
@Jason i have that query already added to fleet standard library i think, try to join with ‘last’ table.
09/21/2022, 8:51 PM
Ah. Nice idea.
09/21/2022, 8:53 PM
Sorry i was searching for something and saw this old message. And i thought i can help.
I saw that issue in a previous environment where we didn't have notmal users created on the system but they come authenticated from the domain, so here you need to join with the ‘last’ table for any thing related to normal users. Becuse the normal query without this trick will only result data about the service accounts like root, php, puppet, ansible etc
@Jason hopefully that helps.
09/21/2022, 9:10 PM
Reminds me of another query I just wrote for web browser versions. I'm querying the web browser version only if the browser is running
So if you have Firefox installed but don't use it, I don't really care much