Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
joren
06/18/2020, 6:08 PMDoes
shell_historySELECT sh.time, uid, username, sh.history_file, sh.command FROM users JOIN shell_history sh USING (uid)WHEREWHERE sh.time > NOW() - <QUERY-INTERVAL>r
Ryan
06/18/2020, 6:15 PMgood question, I also would like to know this 🙂
j
joren
06/18/2020, 6:21 PM@zwass - would you be so kind to bequeath some knowledge on me? 🙂
s
seph
06/18/2020, 6:24 PMWhy wouldn’t it support differentials?
j
joren
06/18/2020, 6:26 PMi just recall from days of old that it didnt
and theres a few tables that are like that
t
terracatta
06/18/2020, 6:30 PMIt will enumerate all the contents of shell history and if diff mode is enabled only send an update if there is more shell history
and the diff mode behavior should match the behavior of other tables that produce many rows
j
joren
06/18/2020, 6:35 PMgood to know 🙂 still holds true if
time = 0t
terracatta
06/18/2020, 6:51 PMyeah I don't believe osquery is doing anything extra smart other than reading the history files directly and parsing them, it's not like maintaining a cursor and remembering when you queried last or anything like that.
and if a user or malware deletes the shell history (very common) or modifies it, osquery will just report back what it finds (or nothing if it was deleted)
I would also just be careful in general mass querying this data if you have a lot of terminal usage, you will inadvertently pick up credentials in clear text, not everyone is good at using interactive password prompts or will accidentally paste passwords, keys, etc.
👍 2
Risk / Reward on this table is tenuous at best
j
joren
06/18/2020, 7:08 PMthanks @terracatta 🙂
r
Ryan
06/18/2020, 7:36 PMgood tips, thanks!
z
zwass
06/18/2020, 9:57 PMYep, agreed @terracatta has it all right.
👍 1