Andreas Piening
05/30/2022, 1:28 PMPolicies
with fleet
. However, I’m missing the option to check SSHd
config settings, because I want to ensure that I’ve set PasswordAuthentication *no
on all hosts. I can’t find something related in the* Standard query library
and I can’t figure the query out by myself. Has someone done something in that regard?Jason
05/30/2022, 3:08 PMaugeas
table and make sure that augeas is installed on your endpoint. Then you can access this easily. Here's a good blog post on it: https://medium.com/swlh/parsing-configuration-files-with-augeas-on-osquery-ec8260a9a50bAndreas Piening
05/30/2022, 4:04 PMfleet
package on the endpoints, where osquery
is included.augeas-lenses
on ubuntu linux. I’ll give it a try.Jason
05/30/2022, 4:17 PMaugeas
tableAndreas Piening
05/30/2022, 6:03 PM/usr/share/augeas/lenses/dist
with a lot of *.aug
files. But it seems there’s still something missing. At least if I do the following query from fleet
on this system, the response is empty:
SELECT label, value FROM augeas WHERE path = '/etc/ssh/sshd_config' AND label = 'PermitRootLogin';
--augeas_lenses=/usr/share/augeas/lenses/dist/
in the config file /opt/orbit/osquery.flags
and then restarted orbit
with systemctl restart orbit.service
. Now the query is working fine. Thank you very much!Mystery Incorporated
05/31/2022, 4:41 AMAndreas Piening
05/31/2022, 7:38 AMaugeas lenses
is not a huge deal, I do this with a ansible
snippet during rollout. However, it turned out that the augeas queries
are a bit unreliable, at least in my tests with querying ssh config parameters. If I do a query on all hosts where I’ve set up augeas lenses
some responses are empty, even though the parameter I was asking for is set. Even more strange, if I ask for another sshd
parameter I get responses from different endpoints while the response of one of the endpoints that had result before might be empty.Mystery Incorporated
05/31/2022, 8:06 AMAndreas Piening
05/31/2022, 8:09 AMMatch
definitions may span multiple lines. But even if this would be ignored and couldn’t be part of a query it would be very useful and sufficient 99% of the time.Mystery Incorporated
05/31/2022, 8:17 AMAndreas Piening
05/31/2022, 8:20 AM