I’m new to osquery tables and hence exploring some of my requirements through the channel. From security standpoint, is it possible to query for events like failed logins (local or ssh), failed firewall, failed privilege escalation, failed install, etc.?
You might want to think as to how would you detect the same information in plain linux looking at some logs or other methods.. once you have the answer, you could search which table in osquery implements that. For most of your questions, user_events table might be a good starting point, not sure what do you mean by failed firewall..
05/19/2021, 4:40 AM
I briefly looked at the exhaustive list of tables for Linux yesterday. I’ll check on the user_events as it was not listed in the link above.
I mean the traffic that the host firewall blocked.
Hi @Prateek Kumar Nischal, today I got the events logging for process and users and I could find some useful things in respective tables. The question that I have still is how I can find failed login attempts for instance. All such failed security events are needed to be collected for my required. Any pointers?
I could go with audit service but wanted to be doubly sure that osquery cannot give me this.
Prateek Kumar Nischal
05/20/2021, 7:03 PM
I don’t remember if user_events logs the failed login attempts from the sshd daemon. it might be worthwhile to look at what kind of user events does osquery logs.. it’s also consuming linux audit logs, so osquery might be seeing the events but not parsing it.
05/20/2021, 7:53 PM
There is a way to view syslog with osquery as well as you can look at the intersection of augeas and osquery to query the auth log itself