Channels
I copied the packages generated from the a1.metal ...
# arm-architecturea
alessandrogario
09/05/2020, 7:09 AM
I copied the packages generated from the a1.metal instance to my rpi3! Terminal output in the reply
alessandrogario
09/05/2020, 7:09 AM
Copy code
alessandro@rpi3:~$ sudo dpkg -i arm_packages_pr_6612/osquery_4.4.0-82-gd8170072-1.linux_arm64.deb
Selecting previously unselected package osquery.
(Reading database ... 206065 files and directories currently installed.)
Preparing to unpack .../osquery_4.4.0-82-gd8170072-1.linux_arm64.deb ...
Unpacking osquery (4.4.0-82-gd8170072-1.linux) ...
Setting up osquery (4.4.0-82-gd8170072-1.linux) ...
1145
Processing triggers for systemd (245.4-4ubuntu3.2) ..
alessandro@rpi3:~$ sudo osqueryi 'SELECT hostname, cpu_type FROM system_info;'
+----------+----------+
| hostname | cpu_type |
+----------+----------+
| rpi3 | aarch64 |
+----------+----------+
alessandro@rpi3:~$ sudo osqueryi 'SELECT COUNT(*) FROM processes;'
+----------+
| COUNT(*) |
+----------+
| 193 |
+----------+
alessandro@rpi3:~$ sudo osqueryi --verbose --disable_events=false --disable_audit=false --audit_allow_config=true --audit_allow_process_events
I0905 09:07:30.897889 3348 init.cpp:340] osquery initialized [version=4.4.0-82-gd8170072]
I0905 09:07:30.898211 3348 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0905 09:07:30.898931 3348 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0xaaaaf3d68f68) to thread: 281473261716496 (0xaaaaf3d5e6e0) in process 3348
I0905 09:07:30.899204 3348 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0xaaaaf3d67c28) to thread: 281473253323792 (0xaaaaf3d67e50) in process 3348
I0905 09:07:30.899415 3348 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0905 09:07:30.899415 3350 interface.cpp:270] Extension manager service starting: /root/.osquery/shell.em
I0905 09:07:30.904469 3348 init.cpp:601] Error reading config: config file does not exist: /etc/osquery/osquery.conf
I0905 09:07:30.904908 3348 events.cpp:867] Event publisher not enabled: syslog: Publisher disabled via configuration
I0905 09:07:30.905474 3348 events.cpp:1126] Error registering subscriber: apparmor_events: Subscriber disabled via configuration
I0905 09:07:30.905805 3348 events.cpp:1126] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0905 09:07:30.905942 3348 events.cpp:1126] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0905 09:07:30.906055 3348 events.cpp:1126] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0905 09:07:30.983044 3348 dispatcher.cpp:78] Adding new service: AuditdNetlinkReader (0xaaaaf3d65a58) to thread: 281473244787728 (0xaaaaf3d6ae40) in process 3348
I0905 09:07:30.983456 3348 dispatcher.cpp:78] Adding new service: AuditdNetlinkParser (0xaaaaf3d6b018) to thread: 281473127826448 (0xaaaaf3d6b0c0) in process 3348
I0905 09:07:30.983992 3354 events.cpp:786] Starting event publisher run loop: auditeventpublisher
I0905 09:07:30.984421 3351 auditdnetlink.cpp:329] Attempting to configure the audit service
I0905 09:07:30.984639 3356 events.cpp:786] Starting event publisher run loop: inotify
I0905 09:07:30.985014 3351 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table
I0905 09:07:30.985420 3357 events.cpp:786] Starting event publisher run loop: udev
Using a virtual database. Need help, type '.help'
osquery> SELECT * FROM process_events;
+------+---------------+---------+----------------------+--------------------+------+------+------+------+------+-----------+-----------+------------+------------+------------+-------+--------+------------+--------+-------+------+-------+------+---------+
| pid | path | mode | cmdline | cwd | auid | uid | euid | gid | egid | owner_uid | owner_gid | atime | mtime | ctime | btime | parent | time | uptime | fsuid | suid | fsgid | sgid | syscall |
+------+---------------+---------+----------------------+--------------------+------+------+------+------+------+-----------+-----------+------------+------------+------------+-------+--------+------------+--------+-------+------+-------+------+---------+
| 3358 | /usr/bin/date | 0100755 | date | "/home/alessandro" | 1000 | 1000 | 1000 | 1000 | 1000 | 0 | 0 | 1599286374 | 1567679920 | 1597234753 | 0 | 1788 | 1599289658 | 877 | 1000 | 1000 | 1000 | 1000 | execve |
| 3359 | /usr/bin/sudo | 0104755 | sudo nano /etc/hosts | "/home/alessandro" | 1000 | 1000 | 0 | 1000 | 1000 | 0 | 0 | 1599287362 | 1594772278 | 1597234753 | 0 | 1788 | 1599289663 | 882 | 0 | 0 | 1000 | 1000 | execve |
| 3360 | /usr/bin/nano | 0100755 | nano /etc/hosts | "/home/alessandro" | 1000 | 0 | 0 | 0 | 0 | 0 | 0 | 1599289634 | 1586527950 | 1597234753 | 0 | 3359 | 1599289663 | 882 | 0 | 0 | 0 | 0 | execve |
+------+---------------+---------+----------------------+--------------------+------+------+------+------+------+-----------+-----------+------------+------------+------------+-------+--------+------------+--------+-------+------+-------+------+---------+t
theopolis
09/05/2020, 1:04 PM
Pretty cool!
b
Benjamin Herrenschmidt
09/07/2020, 8:13 AMGreat !
10 Views