I ve got an issue w running a distributed query using the `y osquery #fleet

I’ve got an issue w/ running a distributed query u...

sean.cavanaugh

11/15/2021, 5:06 PM

I’ve got an issue w/ running a distributed query using the

yara

table. If I run a basic yara rule using the

sigrule

column in osqueryi I get the intened results. If I run the same query via Fleet as a distributed query I get no results. The below query identifies the test file as expected in osqueryi, but nothing at all is returned via Fleet.

Copy code

select * from yara where path like "/Users/scavanaugh/Desktop/%" and sigrule = 'rule hello_world {
strings:
$a = "Hello world"
condition: $a
}';

Fleet is version 3.3.0 In osqueryi paths are returned for files that have no match, in Fleet this doesn’t appear to be the case

Andrew Bare

11/15/2021, 5:13 PM

Also, @sean.cavanaugh already confirmed he is not running osqueryi w/ root

zwass

11/15/2021, 5:15 PM

Can you run osqueryd with

--verbose --tls_dump

and verify that Fleet is sending the correct query? What user is osqueryd running as?

sean.cavanaugh

11/15/2021, 5:29 PM

sure thing, need to knock out a few meeting but will report back shortly

zwass

11/15/2021, 5:31 PM

Fleet just sends osquery the data and returns the results -- usually this kind of thing is due to some permissions issue or unexpected change in the osquery configuration. That said, Fleet 3.3.0 is pretty old and there could be some bug. Your research will help us understand which is going on.

sean.cavanaugh

11/15/2021, 8:05 PM

for sure

sean.cavanaugh

11/15/2021, 8:07 PM

we’re on osquery 4.9.0 if that helps, working on the goods for you

👍 1

sean.cavanaugh

11/15/2021, 8:25 PM

things ended up working … for an unknown reason

sean.cavanaugh

11/15/2021, 8:25 PM

I wonder if killing osqueryd did something but that doesn’t seem logical

sean.cavanaugh

11/15/2021, 8:26 PM

Copy code

I1115 15:20:58.064646 186163200 distributed.cpp:121] Executing distributed query: kolide_distributed_query_952: select * from yara where path like "/Users/scavanaugh/Desktop/%" and sigrule = 'rule hello_world {
strings:
$a = "Hello world"
condition: $a
}'
and matches = 'hello_world';

I1115 15:21:00.946065 186163200 tls.cpp:255] TLS/HTTPS POST request to URI: https://<server>/api/v1/osquery/distributed/write
{"queries":{"kolide_distributed_query_952":[{"path":"/Users/scavanaugh/Desktop/hello world.txt","matches":"hello_world","count":"1","sig_group":"","sigfile":"","strings":"","tags":""}]},"statuses":{"kolide_distributed_query_952":0},"messages":{"kolide_distributed_query_952":""},"node_key":"BPxEBIaiP3N0yZmG2ope6XEVPO7z7+ub"}
{}

zwass

11/15/2021, 8:28 PM

Are you running osqueryd directly via CLI now? Was it running via launchd previously? I wonder if there might be some different config?

sean.cavanaugh

11/15/2021, 8:31 PM

ok now I’ve got less good news

😬 1

sean.cavanaugh

11/15/2021, 8:32 PM

it worked when I ran it like so:

Copy code

sudo /usr/local/bin/osqueryd --verbose \
--tls_dump \
--allow_unsafe \
--config_plugin=tls \
--config_refresh=900 \
--config_tls_refresh=900 \
--config_accelerated_refresh=300 \
--config_tls_endpoint=/api/v1/osquery/config \
--disable_distributed=false \
--disable_enrollment=false \
--disable_tables=shell_history \
--distributed_interval=10 \
--distributed_plugin=tls \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--enroll_secret_path=/var/osquery/kolide_secret \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--host_identifier=hostname \
--logger_min_status=1 \
--logger_plugin=tls \
--logger_snapshot_event_type=true \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10 \
--pack_delimiter=/ \
--tls_hostname=<server> \
--tls_server_certs=<cert> \
--enable_file_events=true

sean.cavanaugh

11/15/2021, 8:32 PM

it stopped working I resumed via

sudo osqueryctl start

(after killing osqueryd)

zwass

11/15/2021, 8:32 PM

Ah, I bet it's related to https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#full-disk-access

sean.cavanaugh

11/15/2021, 8:33 PM

sigh

sean.cavanaugh

11/15/2021, 8:33 PM

really good flag, we had issues w/ that and some other fun

zwass

11/15/2021, 8:33 PM

You could verify with

sudo osqueryi

followed by

.connect

zwass

11/15/2021, 8:33 PM

That should "connect" to the running osqueryd process and let you try the query there -- I suspect you'll get empty.

sean.cavanaugh

11/15/2021, 8:35 PM

neat

sean.cavanaugh

11/15/2021, 8:35 PM

didn’t know about

.connect

zwass

11/15/2021, 8:35 PM

It's pretty new 🙂 Very cool feature though https://twitter.com/fleetctl/status/1387376047516053508

sean.cavanaugh

11/15/2021, 8:37 PM

supported on 4.9.0 with 3.3.0? I seem to be coming up short

sean.cavanaugh

11/15/2021, 8:38 PM

Copy code

-> % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> .connect
Error: unknown command or invalid arguments:  "connect". Enter ".help" for help

zwass

11/15/2021, 8:39 PM

Can you

select version from osquery_info

in that shell?

zwass

11/15/2021, 8:40 PM

Ah looks like you need

.connect /var/osquery/osquery.em

zwass

11/15/2021, 8:40 PM

"unknown command or invalid arguments" is not a very helpful error message

sean.cavanaugh

11/15/2021, 9:16 PM

sorry was getting some things actioned in our env. we rolled out FDA and yara is working as intended from Fleet. I really appreciate the support @zwass 🍻

🙌 1

zwass

11/15/2021, 9:16 PM

Awesome!!

23 Views

Open in Slack

Previous Next