Title
#general
Andreas Piening

Andreas Piening

05/30/2022, 1:28 PM
I love the option to check security related settings on multiple hosts, especially applying
Policies
with
fleet
. However, I’m missing the option to check
SSHd
config settings, because I want to ensure that I’ve set
PasswordAuthentication *no
on all hosts. I can’t find something related in the*
Standard query library
and I can’t figure the query out by myself. Has someone done something in that regard?
j

Jason

05/30/2022, 3:08 PM
Look at the
augeas
table and make sure that augeas is installed on your endpoint. Then you can access this easily. Here's a good blog post on it: https://medium.com/swlh/parsing-configuration-files-with-augeas-on-osquery-ec8260a9a50b
Andreas Piening

Andreas Piening

05/30/2022, 4:04 PM
Thank you, this looks promising. I’m still trying to figure out what I have to install on the endpoints. I have installed the
fleet
package on the endpoints, where
osquery
is included.
4:06 PM
There is a package
augeas-lenses
on ubuntu linux. I’ll give it a try.
j

Jason

05/30/2022, 4:17 PM
yes, you need to install that for osquery to be able to use the
augeas
table
Andreas Piening

Andreas Piening

05/30/2022, 6:03 PM
This gives me a directory
/usr/share/augeas/lenses/dist
with a lot of
*.aug
files. But it seems there’s still something missing. At least if I do the following query from
fleet
on this system, the response is empty:
SELECT label, value FROM augeas WHERE path = '/etc/ssh/sshd_config' AND label = 'PermitRootLogin';
6:38 PM
I figured it out: I needed to set the option
--augeas_lenses=/usr/share/augeas/lenses/dist/
in the config file
/opt/orbit/osquery.flags
and then restarted
orbit
with
systemctl restart orbit.service
. Now the query is working fine. Thank you very much!
Mystery Incorporated

Mystery Incorporated

05/31/2022, 4:41 AM
There exists no mechanism for osquery to ingest ssh configuration natively? I should think that would be a thing?
Andreas Piening

Andreas Piening

05/31/2022, 7:38 AM
Agree. In terms of compliance and security it is an essential thing from my point of view.
7:43 AM
Installing and configuring the
augeas lenses
is not a huge deal, I do this with a
ansible
snippet during rollout. However, it turned out that the
augeas queries
are a bit unreliable, at least in my tests with querying ssh config parameters. If I do a query on all hosts where I’ve set up
augeas lenses
some responses are empty, even though the parameter I was asking for is set. Even more strange, if I ask for another
sshd
parameter I get responses from different endpoints while the response of one of the endpoints that had result before might be empty.
7:44 AM
I’ve no clue why this is, but I can’t use these queries as a compliance check at the moment because the results have to be deterministic and reliable.
Mystery Incorporated

Mystery Incorporated

05/31/2022, 8:06 AM
Yea that's not ideal. It's strange as osquery consumes so many points of interest even the windows security center, I should think parsing and providing an ssh_config table and sshd_config table would be trivial and in remit of the project
Andreas Piening

Andreas Piening

05/31/2022, 8:09 AM
This would be great!
8:13 AM
Most settings are in fact easy: The first term is the key while everything after the blank space is the value(s). There is at least one exception:
Match
definitions may span multiple lines. But even if this would be ignored and couldn’t be part of a query it would be very useful and sufficient 99% of the time.
Mystery Incorporated

Mystery Incorporated

05/31/2022, 8:17 AM
Yea I actually found a few devices I enabled pubkey auth but forgot to disable password auth recently that was my motivation to start looking at policies on fleet.
Andreas Piening

Andreas Piening

05/31/2022, 8:20 AM
Yes, same here. Noticed it because of high load because someone was trying to bruteforce sshd with a high rate. I thought about creating a zabbix check for this, but fleet looked like a nice option to get a compliance overview.