Title
#general
s

slevchenko

12/02/2021, 5:08 PM
is there any way to securely store values inside osquery ? For example a list of valid\trusted file sha sums
s

seph

12/03/2021, 4:31 AM
Sorta, but not really.
4:31 AM
You can create temp tables, and I think these will last for a bit. But that's not really well quantified.
4:32 AM
You can drop this information onto local disk somewhere, and then join against it. What formats depend a bit on the platform -- but sqlite is probably universal.
4:32 AM
You can write an extension, Which may provide some info like this
s

slevchenko

12/03/2021, 10:14 AM
@seph Process-injection incidents hunting, or "ignore" lists becoming sheer nightmare with dozens of NOT LIKE...., NOT LIKE.... . Is there any way to load sqlite files without need to write own extension ?
10:15 AM
Can that be introduced as a feature ? I know there's a curl table which as I understood allows to load data from some remote source.
f

fritz

12/03/2021, 2:01 PM
@slevchenko you can utilize cte lookup tables to avoid the
NOT LIKE... AND NOT LIKE... AND NOT LIKE
s

slevchenko

12/03/2021, 2:02 PM
Yup that's what I'm doing now, but queries become huge
f

fritz

12/03/2021, 2:03 PM
If you want to share a snippet of your query I can give it some 👀 and see if there is an opportunity for reducing some of the verbosity. Happy to do so in thread or in DM.
s

slevchenko

12/03/2021, 2:03 PM
I hoped in to use
NOT IN table_name
but that works either with exising tables, or extensions
s

seph

12/03/2021, 2:04 PM
If you have a SQLite file on disk, you can load it as a table. It's in the config file. Look for docs or blog posts about "ATC tables"
1
s

slevchenko

12/03/2021, 2:04 PM
I have no file just yet, but I'll create it for this purpose
f

fritz

12/03/2021, 2:05 PM
@seph's ATC recommendation is definitely a good approach, the only difficulty is ensuring the file exists on disk and is kept up to date.
s

slevchenko

12/03/2021, 2:06 PM
I'm creating a daemon which will control its synchronization
s

seph

12/03/2021, 2:06 PM
Understood -- you asked it it could be added, and it's already there. Mostly pricing background. Only real caveat is that you'd need to manage the contents of it out of band.
s

slevchenko

12/03/2021, 2:06 PM
Yes, if it's already there, it's just fantastic! Just what I needed
f

fritz

12/03/2021, 2:06 PM
if you can handle ensuring the sqlite file/db exists on disk and is kept up to date, ATC is definitely the right path
2:10 PM
Aha! Thanks folks, that saves me hell load of time
f

fritz

12/03/2021, 2:10 PM
👍
2:10 PM
ATC is amazing, @obelisk is a legend for adding that capability.
❤️ 1
s

slevchenko

12/03/2021, 2:12 PM
So just to share why I need so many conditions. I'm whitelisting shared library objects, to detect those which might be PUA
2:13 PM
and that becomes a pain in a ...back, without an ability to group objects into a table
f

fritz

12/03/2021, 2:15 PM
There are methods for doing this sort of thing all within the query in a way that's reasonably sized.
2:17 PM
if you provide an example of 2 or 3 of your conditions, i can show you the approach i take when doing this within query vs referencing an external source/file
s

slevchenko

12/03/2021, 2:20 PM
sure, moment
2:21 PM
SELECT process_memory_map.*, pid as mpid from process_memory_map LEFT JOIN processes USING (pid) WHERE process_memory_map.path LIKE '/%' and process_memory_map.pseudo != 1 AND process_memory_map.path NOT LIKE '/lib/%' AND process_memory_map.path NOT LIKE '/usr/lib%' AND process_memory_map.path NOT LIKE '/snap/%' AND process_memory_map.path NOT LIKE '/usr/local/lib/%' AND process_memory_map.path NOT LIKE '/home/%%/snap/%' AND process_memory_map.path NOT LIKE '/var/lib/snapd/%' AND process_memory_map.path NOT LIKE '/opt/bitnami/%%' AND process_memory_map.path NOT LIKE '/opt/java/%%' AND process_memory_map.path NOT LIKE '/opt/java/%%' AND process_memory_map.path NOT LIKE '/usr/glibc-compat/%%'  AND process_memory_map.path NOT LIKE '/run/user/1000/%%' AND process_memory_map.path NOT LIKE '/memfd:/.glXXXXXX' AND process_memory_map.path != processes.path AND process_memory_map.permissions LIKE '%x%';
2:22 PM
It actually works, apart from the fact that it's a sheer pain to read 🙂
s

seph

12/04/2021, 3:52 AM
Yeah... I feel like I've been somewhat annoyed that there's no
LIKE IN (...)
structure
3:52 AM
Oh, I see you have
%%
in those LIKEs. That's not going to do what you think --
%%
is an osquery construct, not a sql one. So in a SQL comparison, it's the same as a single
%
and it will match anything. slack or not
3:53 AM
If you want to get really fancy, you could probably use the osquery regex routines.
s

slevchenko

12/06/2021, 1:49 PM
Thanks, I'll try that too, right after custom sql tables