https://github.com/osquery/osquery logo
#general
Title
# general
z

Zach Zeid

12/15/2020, 11:20 AM
with
4.6.0
cut, when will it be available via package manager? The site still shows
4.5.1
as being the latest.
a

alessandrogario

12/15/2020, 11:22 AM
We usually upload packages here after a tag is made; we then wait ~a week and if everything is good it becomes a stable release
z

Zach Zeid

12/15/2020, 11:24 AM
ok, so if we wanted to remediate the security vuln via package manager we'll wait until i'ts marked stable?
s

seph

12/15/2020, 11:55 AM
Yes. Or build your own. Or filter it at a central point.
z

Zach Zeid

12/15/2020, 12:00 PM
I was confused by that, “filter it at a central point”, is “it” the new version?
t

theopolis

12/15/2020, 2:00 PM
I believe seph means filter within the tool you use to run distributed queries.
Do you allow a broad set of folks to run queries, using some UI or tool like Fleet?
z

Zach Zeid

12/15/2020, 2:06 PM
Ah no, that's not something we have enabled here. It seems to me that the exposure here is through
distributed
endpoints, so if someone had access to a box w/ osquery on it, the most they could do is write to files on that box?
s

seph

12/15/2020, 2:18 PM
theopolis did intuit what I meant 🙂
z

Zach Zeid

12/15/2020, 2:18 PM
Thank you 😄
s

seph

12/15/2020, 2:19 PM
The exposure is that someone who has administrative access (either via the schedule or the distributed interface) can write arbitrary sqlite files. If you don’t have any kind of central osquery control I don’t see how you have any risk exposure
Also note that it’s writing arbitrary sqlite files. Not arbitrary files. Which is slightly less bad
z

Zach Zeid

12/15/2020, 2:21 PM
...someone who has administrative access...
that reads to me someone whose on a box running
sudo osqueryi
and writing arbitrary sqlite files to disk. Which could also be done via any fleet manager that has
distributed
enabled?
s

seph

12/15/2020, 2:21 PM
yes to both of those.
z

Zach Zeid

12/15/2020, 2:22 PM
Got, just making sure I understand the risk here 😄 Thanks!
2 Views