https://github.com/osquery/osquery logo
Powered by
Title
a

Andreas Piening

05/30/2022, 1:28 PM
I love the option to check security related settings on multiple hosts, especially applying 
Policies
with 
fleet
. However, I’m missing the option to check 
SSHd
config settings, because I want to ensure that I’ve set 
PasswordAuthentication *no
on all hosts. I can’t find something related in the* 
Standard query library
and I can’t figure the query out by myself. Has someone done something in that regard?
j

Jason

05/30/2022, 3:08 PM
Look at the 
augeas
table and make sure that augeas is installed on your endpoint. Then you can access this easily. Here's a good blog post on it: https://medium.com/swlh/parsing-configuration-files-with-augeas-on-osquery-ec8260a9a50b
a

Andreas Piening

05/30/2022, 4:04 PM
Thank you, this looks promising. I’m still trying to figure out what I have to install on the endpoints. I have installed the 
fleet
package on the endpoints, where 
osquery
is included.
There is a package 
augeas-lenses
on ubuntu linux. I’ll give it a try.
j

Jason

05/30/2022, 4:17 PM
yes, you need to install that for osquery to be able to use the 
augeas
table
a

Andreas Piening

05/30/2022, 6:03 PM
This gives me a directory 
/usr/share/augeas/lenses/dist
with a lot of 
*.aug
files. But it seems there’s still something missing. At least if I do the following query from 
fleet
on this system, the response is empty: 
SELECT label, value FROM augeas WHERE path = '/etc/ssh/sshd_config' AND label = 'PermitRootLogin';
I figured it out: I needed to set the option 
--augeas_lenses=/usr/share/augeas/lenses/dist/
in the config file 
/opt/orbit/osquery.flags
and then restarted 
orbit
with 
systemctl restart orbit.service
. Now the query is working fine. Thank you very much!
m

Mystery Incorporated

05/31/2022, 4:41 AM
There exists no mechanism for osquery to ingest ssh configuration natively? I should think that would be a thing?
a

Andreas Piening

05/31/2022, 7:38 AM
Agree. In terms of compliance and security it is an essential thing from my point of view.
Installing and configuring the 
augeas lenses
is not a huge deal, I do this with a 
ansible
snippet during rollout. However, it turned out that the 
augeas queries
are a bit unreliable, at least in my tests with querying ssh config parameters. If I do a query on all hosts where I’ve set up 
augeas lenses
some responses are empty, even though the parameter I was asking for is set. Even more strange, if I ask for another 
sshd
parameter I get responses from different endpoints while the response of one of the endpoints that had result before might be empty.
I’ve no clue why this is, but I can’t use these queries as a compliance check at the moment because the results have to be deterministic and reliable.
m

Mystery Incorporated

05/31/2022, 8:06 AM
Yea that's not ideal. It's strange as osquery consumes so many points of interest even the windows security center, I should think parsing and providing an ssh_config table and sshd_config table would be trivial and in remit of the project
🙌 1
a

Andreas Piening

05/31/2022, 8:09 AM
This would be great!
Most settings are in fact easy: The first term is the key while everything after the blank space is the value(s). There is at least one exception: 
Match
definitions may span multiple lines. But even if this would be ignored and couldn’t be part of a query it would be very useful and sufficient 99% of the time.
👍 1
m

Mystery Incorporated

05/31/2022, 8:17 AM
Yea I actually found a few devices I enabled pubkey auth but forgot to disable password auth recently that was my motivation to start looking at policies on fleet.
a

Andreas Piening

05/31/2022, 8:20 AM
Yes, same here. Noticed it because of high load because someone was trying to bruteforce sshd with a high rate. I thought about creating a zabbix check for this, but fleet looked like a nice option to get a compliance overview.
6 Views
#generalJoin Slack
Powered by