Hi there,
I’m new to osquery tables and hence expl...
# generald
Deepak
05/18/2021, 4:46 PMHi there,
I’m new to osquery tables and hence exploring some of my requirements through the channel. From security standpoint, is it possible to query for events like failed logins (local or ssh), failed firewall, failed privilege escalation, failed install, etc.?
z
Zach Zeid
05/18/2021, 5:30 PMThis should be a place that'll help with your questions, https://osquery.io/schema/4.8.0
p
Prateek Kumar Nischal
05/18/2021, 8:22 PMYou might want to think as to how would you detect the same information in plain linux looking at some logs or other methods.. once you have the answer, you could search which table in osquery implements that. For most of your questions, user_events table might be a good starting point, not sure what do you mean by failed firewall..
d
Deepak
05/19/2021, 4:40 AMI briefly looked at the exhaustive list of tables for Linux yesterday. I’ll check on the user_events as it was not listed in the link above.
I mean the traffic that the host firewall blocked.
Deepak
05/20/2021, 6:35 PMHi @Prateek Kumar Nischal, today I got the events logging for process and users and I could find some useful things in respective tables. The question that I have still is how I can find failed login attempts for instance. All such failed security events are needed to be collected for my required. Any pointers?
Deepak
05/20/2021, 6:36 PMI could go with audit service but wanted to be doubly sure that osquery cannot give me this.
p
Prateek Kumar Nischal
05/20/2021, 7:03 PMI don’t remember if user_events logs the failed login attempts from the sshd daemon. it might be worthwhile to look at what kind of user events does osquery logs.. it’s also consuming linux audit logs, so osquery might be seeing the events but not parsing it.
z
Zach Zeid
05/20/2021, 7:53 PMThere is a way to view syslog with osquery as well as you can look at the intersection of augeas and osquery to query the auth log itself
6 Views