general question: There isn't really a way for os...
# general
general question: There isn't really a way for osquery to read a file, correct?
Generally no. It’s a loose design goal to avoid that. There are some exceptions: 1. the carver 2. plist files 3. augeas may provide access 4. others??? And, of course, various extensions
ATC tables is another. (This is conf option to make a table from any sqlite file on disk)
I never heard of Augeas, is that built-into osquery? I didn't think the carver read contents of a file, so much as the contents of a directory.
specially looking outside of
files, and was wondering if functionality was there out of box.
You mean though, arbitrarily read a file? Because everything in osquery read files, what changes is what we display and the control you have to decide which files are read
not arbirtarily, but given a file path, yes read it
augeas seems to work for specific files
not sure how carver would, but i am looking into it more.
@Zach Zeid arbitrary file read is explicitly avoided where possible
carver allows downloading a given file
augeus is a 3rd party lib that will parse a file according to a “lens”. You can feed lenses arbitrary files. but they might not parse. There is, at least one. lens that allows arbitrary text file parsing. Whether you have those installed on your machines or not I don’t know
seph outlined the majority of point to a path and read its contents cases
carver is built into osquery but requires fairly specific server support. It’s not a simple live query
yara probably also allows some arbitrary file reads, whether or not you have an installed yara rule is unknown
hmm, how come with
it doesn't read the
This is odd
Copy code
sudo osqueryi "select * from augeas where label = 'key' and path like '%/%/.ssh/authorized_keys';" --json
will print out the authorized_keys in my home directory on my macbook, but on a centos7 ec2 instance, it doesn't.
Looking at the file, it should be getting everything under ~/.ssh/authorized_keys. Is this a limitation of osquery?
I don't use augeas, I can't quickly speak to whether there's a bug or a misusage in your sql.
If you want authorized keys, there's a table for that.
But I don't know what you're looking for -- this started with a very broad exploration (which is cool) but seems to have ended up with a specific question.
facepalm I should've began w/ my use case, instead of asking "can osquery read files." and going from there.
Thanks for un-derping me.
Arbitrary file read is also a common question. But, yeah. :)
I can see how arbitrary file read is a dangerous situation for data exfil too
good to be more cautious than not 😄