I copied the packages generated from the a1 metal instance t osquery #arm-architecture

Title
alessandrogario
09/05/2020, 7:09 AM
I copied the packages generated from the a1.metal instance to my rpi3! Terminal output in the reply
alessandro@rpi3:~$ sudo dpkg -i arm_packages_pr_6612/osquery_4.4.0-82-gd8170072-1.linux_arm64.deb
Selecting previously unselected package osquery.
(Reading database ... 206065 files and directories currently installed.)
Preparing to unpack .../osquery_4.4.0-82-gd8170072-1.linux_arm64.deb ...
Unpacking osquery (4.4.0-82-gd8170072-1.linux) ...
Setting up osquery (4.4.0-82-gd8170072-1.linux) ...
1145
Processing triggers for systemd (245.4-4ubuntu3.2) ..
alessandro@rpi3:~$ sudo osqueryi 'SELECT hostname, cpu_type FROM system_info;'
+----------+----------+
| hostname | cpu_type |
+----------+----------+
| rpi3     | aarch64  |
+----------+----------+
alessandro@rpi3:~$ sudo osqueryi 'SELECT COUNT(*) FROM processes;'
+----------+
| COUNT(*) |
+----------+
| 193      |
+----------+
alessandro@rpi3:~$ sudo osqueryi --verbose --disable_events=false --disable_audit=false --audit_allow_config=true --audit_allow_process_events
I0905 09:07:30.897889  3348 init.cpp:340] osquery initialized [version=4.4.0-82-gd8170072]
I0905 09:07:30.898211  3348 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0905 09:07:30.898931  3348 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0xaaaaf3d68f68) to thread: 281473261716496 (0xaaaaf3d5e6e0) in process 3348
I0905 09:07:30.899204  3348 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0xaaaaf3d67c28) to thread: 281473253323792 (0xaaaaf3d67e50) in process 3348
I0905 09:07:30.899415  3348 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0905 09:07:30.899415  3350 interface.cpp:270] Extension manager service starting: /root/.osquery/shell.em
I0905 09:07:30.904469  3348 init.cpp:601] Error reading config: config file does not exist: /etc/osquery/osquery.conf
I0905 09:07:30.904908  3348 events.cpp:867] Event publisher not enabled: syslog: Publisher disabled via configuration
I0905 09:07:30.905474  3348 events.cpp:1126] Error registering subscriber: apparmor_events: Subscriber disabled via configuration
I0905 09:07:30.905805  3348 events.cpp:1126] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0905 09:07:30.905942  3348 events.cpp:1126] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0905 09:07:30.906055  3348 events.cpp:1126] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0905 09:07:30.983044  3348 dispatcher.cpp:78] Adding new service: AuditdNetlinkReader (0xaaaaf3d65a58) to thread: 281473244787728 (0xaaaaf3d6ae40) in process 3348
I0905 09:07:30.983456  3348 dispatcher.cpp:78] Adding new service: AuditdNetlinkParser (0xaaaaf3d6b018) to thread: 281473127826448 (0xaaaaf3d6b0c0) in process 3348
I0905 09:07:30.983992  3354 events.cpp:786] Starting event publisher run loop: auditeventpublisher
I0905 09:07:30.984421  3351 auditdnetlink.cpp:329] Attempting to configure the audit service
I0905 09:07:30.984639  3356 events.cpp:786] Starting event publisher run loop: inotify
I0905 09:07:30.985014  3351 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table
I0905 09:07:30.985420  3357 events.cpp:786] Starting event publisher run loop: udev
Using a virtual database. Need help, type '.help'
osquery> SELECT * FROM process_events;
+------+---------------+---------+----------------------+--------------------+------+------+------+------+------+-----------+-----------+------------+------------+------------+-------+--------+------------+--------+-------+------+-------+------+---------+
| pid  | path          | mode    | cmdline              | cwd                | auid | uid  | euid | gid  | egid | owner_uid | owner_gid | atime      | mtime      | ctime      | btime | parent | time       | uptime | fsuid | suid | fsgid | sgid | syscall |
+------+---------------+---------+----------------------+--------------------+------+------+------+------+------+-----------+-----------+------------+------------+------------+-------+--------+------------+--------+-------+------+-------+------+---------+
| 3358 | /usr/bin/date | 0100755 | date                 | "/home/alessandro" | 1000 | 1000 | 1000 | 1000 | 1000 | 0         | 0         | 1599286374 | 1567679920 | 1597234753 | 0     | 1788   | 1599289658 | 877    | 1000  | 1000 | 1000  | 1000 | execve  |
| 3359 | /usr/bin/sudo | 0104755 | sudo nano /etc/hosts | "/home/alessandro" | 1000 | 1000 | 0    | 1000 | 1000 | 0         | 0         | 1599287362 | 1594772278 | 1597234753 | 0     | 1788   | 1599289663 | 882    | 0     | 0    | 1000  | 1000 | execve  |
| 3360 | /usr/bin/nano | 0100755 | nano /etc/hosts      | "/home/alessandro" | 1000 | 0    | 0    | 0    | 0    | 0         | 0         | 1599289634 | 1586527950 | 1597234753 | 0     | 3359   | 1599289663 | 882    | 0     | 0    | 0     | 0    | execve  |
+------+---------------+---------+----------------------+--------------------+------+------+------+------+------+-----------+-----------+------------+------------+------------+-------+--------+------------+--------+-------+------+-------+------+---------+
theopolis
09/05/2020, 1:04 PM
Pretty cool!
Benjamin Herrenschmidt
09/07/2020, 8:13 AM
Great !
9 Views
#arm-architecture Join Slack