Channels
#general
Title
# general
z
Zander Mackie
09/10/2021, 4:50 PMJust noticed that the
osquery_packs Copy code
[STD-DEV]16:48:00 root@si-i-02caa65087583c219 /home/zmackie # cat /usr/share/osquery/packs/testing.conf
{
"testing": {
"shard": 10, <<<--
"queries": {
"osquery_info": {
"query": "SELECT * FROM osquery_info;",
"interval": 86400,
"description": "Information about the running osquery configuration",
"snapshot": true
},
// This is a simple example query that outputs basic system information.
"system_info": {
// The exact query to run.
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
// The interval in seconds to run this query, not an exact interval.
"interval": 3600
},
"crontab": {
"query" : "select * from crontab;",
"interval" : "3600",
"platform": "posix",
"version" : "1.4.5",
"description" : "Retrieves all the jobs scheduled in crontab in the target system.",
"value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
}
}
}
}
[STD-DEV]16:48:23 root@si-i-02caa65087583c219 /home/zmackie # echo "select * from osquery_packs;" | osqueryi
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| name | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| main | | | 0 | 1 | 1 | 1 |
| base | posix | | 0 | 1 | 1 | 1 |
| testing | | | 0 <<< | 1 | 1 | 1 |
| osquery-monitoring | | | 0 | 1 | 1 | 1 |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+s
seph
09/10/2021, 4:53 PM
docs have it in quotes. Did you try that?
z
Zander Mackie
09/10/2021, 4:56 PMIts not in quotes in other places, but I’ll give that a shot.
That pack is also not active, now that I look at the results log.
Quotes don’t seem to help.
s
sharvil
09/10/2021, 5:26 PMCan you pass in the
--verbosez
Zander Mackie
09/10/2021, 5:39 PM Copy code
^[[A[STD-DEV]17:38:24 root@si-i-02caa65087583c219 /home/zmackie # echo "select * from osquery_packs;" | osqueryi --verbose
I0910 17:38:27.343184 14644 init.cpp:357] osquery initialized [version=4.9.0]
I0910 17:38:27.343250 14644 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0910 17:38:27.343308 14644 init.cpp:568] An error occurred during extension manager startup: Extensions disabled
I0910 17:38:27.343335 14644 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0910 17:38:27.343868 14644 packs.cpp:177] No queries defined for pack testing
I0910 17:38:27.345997 14644 virtual_table.cpp:1081] Table curl is disabled, not attaching
I0910 17:38:27.358563 14644 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node
I0910 17:38:27.358790 14644 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0910 17:38:27.358808 14644 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0910 17:38:27.358827 14644 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0910 17:38:27.358891 14644 events.cpp:36] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0910 17:38:27.358942 14644 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0910 17:38:27.358955 14644 events.cpp:36] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0910 17:38:27.358966 14644 events.cpp:36] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0910 17:38:27.358978 14644 events.cpp:36] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0910 17:38:27.359735 14644 file_events.cpp:87] Added file event listener to: /etc/logrotate.d/**
I0910 17:38:27.359752 14644 file_events.cpp:87] Added file event listener to: /etc/systemd/**
I0910 17:38:27.359760 14644 file_events.cpp:87] Added file event listener to: /etc/rc*/**
I0910 17:38:27.359768 14644 file_events.cpp:87] Added file event listener to: /etc/passwd
I0910 17:38:27.359776 14644 file_events.cpp:87] Added file event listener to: /etc/ssh/sshd_config
I0910 17:38:27.359784 14644 file_events.cpp:87] Added file event listener to: /etc/ssh/ssh_config
I0910 17:38:27.359795 14644 file_events.cpp:87] Added file event listener to: /etc/pam*
I0910 17:38:27.359805 14644 file_events.cpp:87] Added file event listener to: /etc/pam.d/**
I0910 17:38:27.369658 14722 eventfactory.cpp:390] Starting event publisher run loop: inotify
I0910 17:38:27.369678 14723 eventfactory.cpp:390] Starting event publisher run loop: udev
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| name | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| main | | | 0 | 1 | 1 | 1 |
| base | posix | | 0 | 1 | 1 | 1 |
| testing | | | 0 | 1 | 1 | 1 |
| osquery-monitoring | | | 0 | 1 | 1 | 1 |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
I0910 17:38:27.369870 14644 dispatcher.cpp:149] Thread: 140224691451584 requesting a stop
I0910 17:38:27.369884 14644 dispatcher.cpp:122] Thread: 140224691451584 requesting a join
I0910 17:38:27.369895 14644 dispatcher.cpp:144] Services and threads have been clearedVersion is
4.9.0s
sharvil
09/10/2021, 5:43 PMhrm
No queries defined for pack testingz
Zander Mackie
09/10/2021, 5:46 PMoh…
huh..wonder if its malformed somehow.
s
sharvil
09/10/2021, 5:48 PMi think so too
shouldn't
system_infocrontabqueries4 Views