I love the option to check security related settin...
# general
I love the option to check security related settings on multiple hosts, especially applying
. However, I’m missing the option to check
config settings, because I want to ensure that I’ve set
PasswordAuthentication *no
on all hosts. I can’t find something related in the*
Standard query library
and I can’t figure the query out by myself. Has someone done something in that regard?
Look at the
table and make sure that augeas is installed on your endpoint. Then you can access this easily. Here's a good blog post on it: https://medium.com/swlh/parsing-configuration-files-with-augeas-on-osquery-ec8260a9a50b
Thank you, this looks promising. I’m still trying to figure out what I have to install on the endpoints. I have installed the
package on the endpoints, where
is included.
There is a package
on ubuntu linux. I’ll give it a try.
yes, you need to install that for osquery to be able to use the
This gives me a directory
with a lot of
files. But it seems there’s still something missing. At least if I do the following query from
on this system, the response is empty:
Copy code
SELECT label, value FROM augeas WHERE path = '/etc/ssh/sshd_config' AND label = 'PermitRootLogin';
I figured it out: I needed to set the option
in the config file
and then restarted
systemctl restart orbit.service
. Now the query is working fine. Thank you very much!
There exists no mechanism for osquery to ingest ssh configuration natively? I should think that would be a thing?
Agree. In terms of compliance and security it is an essential thing from my point of view.
Installing and configuring the
augeas lenses
is not a huge deal, I do this with a
snippet during rollout. However, it turned out that the
augeas queries
are a bit unreliable, at least in my tests with querying ssh config parameters. If I do a query on all hosts where I’ve set up
augeas lenses
some responses are empty, even though the parameter I was asking for is set. Even more strange, if I ask for another
parameter I get responses from different endpoints while the response of one of the endpoints that had result before might be empty.
I’ve no clue why this is, but I can’t use these queries as a compliance check at the moment because the results have to be deterministic and reliable.
Yea that's not ideal. It's strange as osquery consumes so many points of interest even the windows security center, I should think parsing and providing an ssh_config table and sshd_config table would be trivial and in remit of the project
🙌 1
This would be great!
Most settings are in fact easy: The first term is the key while everything after the blank space is the value(s). There is at least one exception:
definitions may span multiple lines. But even if this would be ignored and couldn’t be part of a query it would be very useful and sufficient 99% of the time.
👍 1
Yea I actually found a few devices I enabled pubkey auth but forgot to disable password auth recently that was my motivation to start looking at policies on fleet.
Yes, same here. Noticed it because of high load because someone was trying to bruteforce sshd with a high rate. I thought about creating a zabbix check for this, but fleet looked like a nice option to get a compliance overview.