Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

is there a way w/ osquery to see if squashfs and cramfs are enabled on a host system?

Could Augeas + the config file under /boot be helpful?

Or a Yara rule, looking for the config option string

If it is built as a module, the file table can find it

if what is built as a module? enabling file_events?

I may have misunderstood the problem; is squashfs support in the kernel? If it is, it's either built-in or relying on a .ko kernel module somewhere on disk

Dumping the kernel build-time config will contain the configuration string, such as `CONFIG_FEATURE_NAME` and may indicate whether it's built-in, module, or off completely

On my system:

```$ grep SQUASH /boot/config-5.18.13-200.fc36.x86_64
CONFIG_SQUASHFS=m
# CONFIG_SQUASHFS_FILE_CACHE is not set
CONFIG_SQUASHFS_FILE_DIRECT=y
# CONFIG_SQUASHFS_DECOMP_SINGLE is not set
# CONFIG_SQUASHFS_DECOMP_MULTI is not set
CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU=y
CONFIG_SQUASHFS_XATTR=y
CONFIG_SQUASHFS_ZLIB=y
CONFIG_SQUASHFS_LZ4=y
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y
CONFIG_SQUASHFS_ZSTD=y
# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
# CONFIG_SQUASHFS_EMBEDDED is not set
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3```

```$ find /lib/modules -type f -iname '*squash*.ko*'
/lib/modules/5.18.13-200.fc36.x86_64/kernel/fs/squashfs/squashfs.ko.xz
/lib/modules/5.18.16-200.fc36.x86_64/kernel/fs/squashfs/squashfs.ko.xz
/lib/modules/5.18.17-200.fc36.x86_64/kernel/fs/squashfs/squashfs.ko.xz```

In my case it's built as a module `CONFIG_SQUASHFS=m` otherwise those files would not be there

Sorry, I'm not being clear myself. I'm looking at implementing CIS benchmarks for CentOS, and one of the benchmarks is `"_1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)"`, and the audit section says to run `modprobe`. I was wondering if osquery had a way to query for such things._

I think this method does apply then; you can test whether CONFIG_SQUASHFS is set to n

<https://osquery.readthedocs.io/en/stable/deployment/yara/>

<https://github.com/godaddy/yara-rules/blob/master/example.yara>

Augeas should be able to do this too, but I am not too familiar with it

ok perfect, thank you, I'll look into it!