general question: There isn't really a way for os...
# generalz
Zach Zeid
08/06/2020, 6:25 PMgeneral question: There isn't really a way for osquery to read a file, correct?
s
seph
08/06/2020, 6:30 PM
Generally no. It’s a loose design goal to avoid that.
There are some exceptions:
1. the carver
2. plist files
3. augeas may provide access
4. others???
And, of course, various extensions
seph
08/06/2020, 6:30 PM
ATC tables is another. (This is conf option to make a table from any sqlite file on disk)
z
Zach Zeid
08/06/2020, 6:31 PMI never heard of Augeas, is that built-into osquery? I didn't think the carver read contents of a file, so much as the contents of a directory.
Zach Zeid
08/06/2020, 6:32 PMspecially looking outside of
.plists
Stefano Bonicatti
08/06/2020, 6:34 PMYou mean though, arbitrarily read a file?
Because everything in osquery read files, what changes is what we display and the control you have to decide which files are read
z
Zach Zeid
08/06/2020, 6:43 PMnot arbirtarily, but given a file path, yes read it
Zach Zeid
08/06/2020, 6:43 PMaugeas seems to work for specific files
Zach Zeid
08/06/2020, 6:44 PMnot sure how carver would, but i am looking into it more.
f
fritz
08/06/2020, 6:44 PM@Zach Zeid arbitrary file read is explicitly avoided where possible
fritz
08/06/2020, 6:44 PMcarver allows downloading a given file
s
seph
08/06/2020, 6:45 PM
augeus is a 3rd party lib that will parse a file according to a “lens”. You can feed lenses arbitrary files. but they might not parse. There is, at least one. lens that allows arbitrary text file parsing. Whether you have those installed on your machines or not I don’t know
f
fritz
08/06/2020, 6:45 PMseph outlined the majority of point to a path and read its contents cases
s
seph
08/06/2020, 6:46 PM
carver is built into osquery but requires fairly specific server support. It’s not a simple live query
seph
08/06/2020, 6:46 PM
yara probably also allows some arbitrary file reads, whether or not you have an installed yara rule is unknown
z
Zach Zeid
08/06/2020, 7:04 PMhmm, how come with
augeas/home/Zach Zeid
08/07/2020, 12:14 AMThis is odd
Copy code
sudo osqueryi "select * from augeas where label = 'key' and path like '%/%/.ssh/authorized_keys';" --jsonZach Zeid
08/07/2020, 12:53 PMLooking at the Authorized_Keys.ag file, it should be getting everything under ~/.ssh/authorized_keys. Is this a limitation of osquery?
s
seph
08/07/2020, 12:59 PM
I don't use augeas, I can't quickly speak to whether there's a bug or a misusage in your sql.
seph
08/07/2020, 12:59 PM
If you want authorized keys, there's a table for that.
seph
08/07/2020, 1:00 PM
But I don't know what you're looking for -- this started with a very broad exploration (which is cool) but seems to have ended up with a specific question.
z
Zach Zeid
08/07/2020, 1:08 PMfacepalm I should've began w/ my use case, instead of asking "can osquery read files." and going from there.
Zach Zeid
08/07/2020, 1:09 PMThanks for un-derping me.
s
seph
08/07/2020, 2:00 PM
Arbitrary file read is also a common question. But, yeah. :)
z
Zach Zeid
08/07/2020, 2:01 PMI can see how arbitrary file read is a dangerous situation for data exfil too
Zach Zeid
08/07/2020, 2:01 PMgood to be more cautious than not 😄
4 Views