Channels
#general
Title
# general
j
joren
06/18/2020, 6:08 PMDoes
shell_historySELECT sh.time, uid, username, sh.history_file, sh.command FROM users JOIN shell_history sh USING (uid)WHEREWHERE sh.time > NOW() - <QUERY-INTERVAL>r
Ryan
06/18/2020, 6:15 PMgood question, I also would like to know this 🙂
j
joren
06/18/2020, 6:21 PM@zwass - would you be so kind to bequeath some knowledge on me? 🙂
s
seph
06/18/2020, 6:24 PM
Why wouldn’t it support differentials?
j
joren
06/18/2020, 6:26 PMi just recall from days of old that it didnt
and theres a few tables that are like that
t
terracatta
06/18/2020, 6:30 PM
It will enumerate all the contents of shell history and if diff mode is enabled only send an update if there is more shell history
and the diff mode behavior should match the behavior of other tables that produce many rows
j
joren
06/18/2020, 6:35 PMgood to know 🙂 still holds true if
time = 0t
terracatta
06/18/2020, 6:51 PM
yeah I don't believe osquery is doing anything extra smart other than reading the history files directly and parsing them, it's not like maintaining a cursor and remembering when you queried last or anything like that.
and if a user or malware deletes the shell history (very common) or modifies it, osquery will just report back what it finds (or nothing if it was deleted)
I would also just be careful in general mass querying this data if you have a lot of terminal usage, you will inadvertently pick up credentials in clear text, not everyone is good at using interactive password prompts or will accidentally paste passwords, keys, etc.
👍 2
Risk / Reward on this table is tenuous at best
j
joren
06/18/2020, 7:08 PMthanks @terracatta 🙂
r
Ryan
06/18/2020, 7:36 PMgood tips, thanks!
z
zwass
06/18/2020, 9:57 PM
Yep, agreed @terracatta has it all right.
👍 1
7 Views