Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
Zach Zeid
08/06/2020, 6:25 PMgeneral question: There isn't really a way for osquery to read a file, correct?
s
seph
08/06/2020, 6:30 PMGenerally no. It’s a loose design goal to avoid that.
There are some exceptions:
1. the carver
2. plist files
3. augeas may provide access
4. others???
And, of course, various extensions
ATC tables is another. (This is conf option to make a table from any sqlite file on disk)
z
Zach Zeid
08/06/2020, 6:31 PMI never heard of Augeas, is that built-into osquery? I didn't think the carver read contents of a file, so much as the contents of a directory.
specially looking outside of
.plists
Stefano Bonicatti
08/06/2020, 6:34 PMYou mean though, arbitrarily read a file?
Because everything in osquery read files, what changes is what we display and the control you have to decide which files are read
z
Zach Zeid
08/06/2020, 6:43 PMnot arbirtarily, but given a file path, yes read it
augeas seems to work for specific files
not sure how carver would, but i am looking into it more.
f
fritz
08/06/2020, 6:44 PM@Zach Zeid arbitrary file read is explicitly avoided where possible
carver allows downloading a given file
s
seph
08/06/2020, 6:45 PMaugeus is a 3rd party lib that will parse a file according to a “lens”. You can feed lenses arbitrary files. but they might not parse. There is, at least one. lens that allows arbitrary text file parsing. Whether you have those installed on your machines or not I don’t know
f
fritz
08/06/2020, 6:45 PMseph outlined the majority of point to a path and read its contents cases
s
seph
08/06/2020, 6:46 PMcarver is built into osquery but requires fairly specific server support. It’s not a simple live query
yara probably also allows some arbitrary file reads, whether or not you have an installed yara rule is unknown
z
Zach Zeid
08/06/2020, 7:04 PMhmm, how come with
augeas/home/This is odd
sudo osqueryi "select * from augeas where label = 'key' and path like '%/%/.ssh/authorized_keys';" --jsonLooking at the Authorized_Keys.ag file, it should be getting everything under ~/.ssh/authorized_keys. Is this a limitation of osquery?
s
seph
08/07/2020, 12:59 PMI don't use augeas, I can't quickly speak to whether there's a bug or a misusage in your sql.
If you want authorized keys, there's a table for that.
But I don't know what you're looking for -- this started with a very broad exploration (which is cool) but seems to have ended up with a specific question.
z
Zach Zeid
08/07/2020, 1:08 PM🤦 I should've began w/ my use case, instead of asking "can osquery read files." and going from there.
Thanks for un-derping me.
s
seph
08/07/2020, 2:00 PMArbitrary file read is also a common question. But, yeah. :)
z
Zach Zeid
08/07/2020, 2:01 PMI can see how arbitrary file read is a dangerous situation for data exfil too
good to be more cautious than not 😄