https://github.com/osquery/osquery logo
Powered by
Title
s

sean.cavanaugh

11/15/2021, 5:06 PM
I’ve got an issue w/ running a distributed query using the 
yara
 table. If I run a basic yara rule using the 
sigrule
 column in osqueryi I get the intened results. If I run the same query via Fleet as a distributed query I get no results. The below query identifies the test file as expected in osqueryi, but nothing at all is returned via Fleet. 
select * from yara where path like "/Users/scavanaugh/Desktop/%" and sigrule = 'rule hello_world {
strings:
$a = "Hello world"
condition: $a
}';
Fleet is version 3.3.0 In osqueryi paths are returned for files that have no match, in Fleet this doesn’t appear to be the case
a

Andrew Bare

11/15/2021, 5:13 PM
Also, @sean.cavanaugh already confirmed he is not running osqueryi w/ root
z

zwass

11/15/2021, 5:15 PM
Can you run osqueryd with 
--verbose --tls_dump
and verify that Fleet is sending the correct query? What user is osqueryd running as?
s

sean.cavanaugh

11/15/2021, 5:29 PM
sure thing, need to knock out a few meeting but will report back shortly
z

zwass

11/15/2021, 5:31 PM
Fleet just sends osquery the data and returns the results -- usually this kind of thing is due to some permissions issue or unexpected change in the osquery configuration. That said, Fleet 3.3.0 is pretty old and there could be some bug. Your research will help us understand which is going on.
s

sean.cavanaugh

11/15/2021, 8:05 PM
for sure
we’re on osquery 4.9.0 if that helps, working on the goods for you
👍 1
things ended up working … for an unknown reason
I wonder if killing osqueryd did something but that doesn’t seem logical
I1115 15:20:58.064646 186163200 distributed.cpp:121] Executing distributed query: kolide_distributed_query_952: select * from yara where path like "/Users/scavanaugh/Desktop/%" and sigrule = 'rule hello_world {
strings:
$a = "Hello world"
condition: $a
}'
and matches = 'hello_world';

I1115 15:21:00.946065 186163200 tls.cpp:255] TLS/HTTPS POST request to URI: https://<server>/api/v1/osquery/distributed/write
{"queries":{"kolide_distributed_query_952":[{"path":"/Users/scavanaugh/Desktop/hello world.txt","matches":"hello_world","count":"1","sig_group":"","sigfile":"","strings":"","tags":""}]},"statuses":{"kolide_distributed_query_952":0},"messages":{"kolide_distributed_query_952":""},"node_key":"BPxEBIaiP3N0yZmG2ope6XEVPO7z7+ub"}
{}
z

zwass

11/15/2021, 8:28 PM
Are you running osqueryd directly via CLI now? Was it running via launchd previously? I wonder if there might be some different config?
s

sean.cavanaugh

11/15/2021, 8:31 PM
ok now I’ve got less good news
😬 1
it worked when I ran it like so: 
sudo /usr/local/bin/osqueryd --verbose \
--tls_dump \
--allow_unsafe \
--config_plugin=tls \
--config_refresh=900 \
--config_tls_refresh=900 \
--config_accelerated_refresh=300 \
--config_tls_endpoint=/api/v1/osquery/config \
--disable_distributed=false \
--disable_enrollment=false \
--disable_tables=shell_history \
--distributed_interval=10 \
--distributed_plugin=tls \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--enroll_secret_path=/var/osquery/kolide_secret \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--host_identifier=hostname \
--logger_min_status=1 \
--logger_plugin=tls \
--logger_snapshot_event_type=true \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10 \
--pack_delimiter=/ \
--tls_hostname=<server> \
--tls_server_certs=<cert> \
--enable_file_events=true
it stopped working I resumed via 
sudo osqueryctl start
(after killing osqueryd)
z

zwass

11/15/2021, 8:32 PM
Ah, I bet it's related to https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#full-disk-access
s

sean.cavanaugh

11/15/2021, 8:33 PM
sigh
really good flag, we had issues w/ that and some other fun
z

zwass

11/15/2021, 8:33 PM
You could verify with 
sudo osqueryi
followed by 
.connect
That should "connect" to the running osqueryd process and let you try the query there -- I suspect you'll get empty.
s

sean.cavanaugh

11/15/2021, 8:35 PM
neat
didn’t know about 
.connect
z

zwass

11/15/2021, 8:35 PM
It's pretty new 🙂 Very cool feature though https://twitter.com/fleetctl/status/1387376047516053508
s

sean.cavanaugh

11/15/2021, 8:37 PM
supported on 4.9.0 with 3.3.0? I seem to be coming up short
-> % sudo osqueryi
Password:
Using a virtual database. Need help, type '.help'
osquery> .connect
Error: unknown command or invalid arguments:  "connect". Enter ".help" for help
z

zwass

11/15/2021, 8:39 PM
Can you 
select version from osquery_info
in that shell?
Ah looks like you need 
.connect /var/osquery/osquery.em
"unknown command or invalid arguments" is not a very helpful error message
s

sean.cavanaugh

11/15/2021, 9:16 PM
sorry was getting some things actioned in our env. we rolled out FDA and yara is working as intended from Fleet. I really appreciate the support @zwass 🍻
🙌 1
z

zwass

11/15/2021, 9:16 PM
Awesome!!
22 Views
#fleetJoin Slack
Powered by