Title
#general
d

Deepak

05/18/2021, 4:46 PM
Hi there, I’m new to osquery tables and hence exploring some of my requirements through the channel. From security standpoint, is it possible to query for events like failed logins (local or ssh), failed firewall, failed privilege escalation, failed install, etc.?
z

Zach Zeid

05/18/2021, 5:30 PM
This should be a place that'll help with your questions, https://osquery.io/schema/4.8.0
p

Prateek Kumar Nischal

05/18/2021, 8:22 PM
You might want to think as to how would you detect the same information in plain linux looking at some logs or other methods.. once you have the answer, you could search which table in osquery implements that. For most of your questions, user_events table might be a good starting point, not sure what do you mean by failed firewall..
d

Deepak

05/19/2021, 4:40 AM
I briefly looked at the exhaustive list of tables for Linux yesterday. I’ll check on the user_events as it was not listed in the link above. I mean the traffic that the host firewall blocked.
6:35 PM
Hi @Prateek Kumar Nischal, today I got the events logging for process and users and I could find some useful things in respective tables. The question that I have still is how I can find failed login attempts for instance. All such failed security events are needed to be collected for my required. Any pointers?
6:36 PM
I could go with audit service but wanted to be doubly sure that osquery cannot give me this.
p

Prateek Kumar Nischal

05/20/2021, 7:03 PM
I don’t remember if user_events logs the failed login attempts from the sshd daemon. it might be worthwhile to look at what kind of user events does osquery logs.. it’s also consuming linux audit logs, so osquery might be seeing the events but not parsing it.
z

Zach Zeid

05/20/2021, 7:53 PM
There is a way to view syslog with osquery as well as you can look at the intersection of augeas and osquery to query the auth log itself