https://github.com/osquery/osquery logo
Join Slack
Powered by
Good Afternoon Team! Feel free to point me in a d...
# linux
c
Good Afternoon Team! Feel free to point me in a different direction if required šŸ™‚ We are using 
osqueryd
via the 
Elastic Agent Integration
, and have come across an issue with an LDAP (NoMad) environment when querying the Users table. Only user's which are present in 
/etc/passwd
are returned when using a 
LIKE
or 
*
query, UNLESS you specify the specific user (
username
or 
UID
field), in which case an LDAP lookup is performed using 
getpwuid_r / getpwnam_r
. I have attached an image showing this code in 
osquery/osquery/tables/system/linux/users.cpp
In practice what this means is that we need to know the end user up front when trying to query tables like 
vscode_extensions
or 
chrome_extensions
as they cannot query the 
/home/<user>
directory, as they cannot get a comprehensive user list of LDAP users. Prior discussions around this topic: ā€¢ https://github.com/osquery/osquery/issues/8337 ā€¢ https://github.com/osquery/osquery/pull/8342 Lastly, there is a flag in the same cpp file called 
include_remote = true/false
, however I cannot find an easy way to switch this on using the osquery conf, or in a query directly as it does not appear to be exposed at runtime... Any assistance or advice is greatly appreciated šŸ¤ž !
Might be oversimplifying, but I imagine we just need to remove the hidden flag from the specs/users.table to make this flag set-able within SQL queries
Copy code
<<< OLD
extended_schema(LINUX, [
    Column("include_remote", INTEGER, "1 to include remote (LDAP/AD) accounts (default 0). Warning: without any uid/username filtering it may list whole LDAP directories", additional=True, hidden=True),
])

>>> NEW
extended_schema(LINUX, [
    Column("include_remote", INTEGER, "1 to include remote (LDAP/AD) accounts (default 0). Warning: without any uid/username filtering it may list whole LDAP directories", additional=True), <-- Removed hidden flag
])
Looks like the logic to handle this already exists within 
users.cpp
2 Views
Open in Slack
PreviousNext
Powered by