Does `shell_history` support differentials? E.g. i...
# generalj
joren
06/18/2020, 6:08 PMDoes
shell_historySELECT sh.time, uid, username, sh.history_file, sh.command FROM users JOIN shell_history sh USING (uid)WHEREWHERE sh.time > NOW() - <QUERY-INTERVAL>r
Ryan
06/18/2020, 6:15 PMgood question, I also would like to know this 🙂
j
joren
06/18/2020, 6:21 PM@zwass - would you be so kind to bequeath some knowledge on me? 🙂
s
seph
06/18/2020, 6:24 PM
Why wouldn’t it support differentials?
j
joren
06/18/2020, 6:26 PMi just recall from days of old that it didnt
joren
06/18/2020, 6:26 PMand theres a few tables that are like that
t
terracatta
06/18/2020, 6:30 PM
It will enumerate all the contents of shell history and if diff mode is enabled only send an update if there is more shell history
terracatta
06/18/2020, 6:31 PM
and the diff mode behavior should match the behavior of other tables that produce many rows
j
joren
06/18/2020, 6:35 PMgood to know 🙂 still holds true if
time = 0t
terracatta
06/18/2020, 6:51 PM
yeah I don't believe osquery is doing anything extra smart other than reading the history files directly and parsing them, it's not like maintaining a cursor and remembering when you queried last or anything like that.
terracatta
06/18/2020, 6:52 PM
and if a user or malware deletes the shell history (very common) or modifies it, osquery will just report back what it finds (or nothing if it was deleted)
terracatta
06/18/2020, 6:53 PM
I would also just be careful in general mass querying this data if you have a lot of terminal usage, you will inadvertently pick up credentials in clear text, not everyone is good at using interactive password prompts or will accidentally paste passwords, keys, etc.
👍 2
terracatta
06/18/2020, 6:53 PM
Risk / Reward on this table is tenuous at best
j
joren
06/18/2020, 7:08 PMthanks @terracatta 🙂
r
Ryan
06/18/2020, 7:36 PMgood tips, thanks!
z
zwass
06/18/2020, 9:57 PM
Yep, agreed @terracatta has it all right.
👍 1
11 Views